AJAX POST request call using Laravel's controller and exclusion from CSRF protection but returns error 500

I have created my POST request using AJAX, then checked my request URL /ajax/order-ratings/list in the web.php, and included this in the VerifyCsrfToken.php. In the controller part, my eloquent syntax seems to be correct, but when I checked the Google DevTools, it returned error 500, so the json response is Response {type: "basic", url: "https://quickenow.com/ajax/order-ratings/list", redirected: false, status: 500, ok: false, … My objective is to get the data from the request like order id, where do I get wrong in this ajax request?

order.blade.php

var loadRating = (orderId) => {
            console.log(orderId);
            let headers = {};
            headers['X-Requested-With'] = "XMLHttpRequest";

            var data = new FormData();
            data.append('orderId', orderId);
            return new Promise((resolve, reject) => { 
                fetch("{{ secure_url('/ajax/order-ratings/list') }}", {
                    headers: headers,
                    method: "POST",
                    body: data,
                    credentials: "same-origin"
                }).then((res) => {
                    if(res.status !== 200)
                        console.log('error fetching data');
                        //return M.toast({ html: 'list order ratings failed'}); 

                    return res.json();
                }).then((data) => {
                    if(data.models.length == 0){
                         resolve('');
                    }
                    data.models.forEach((model) => {
                        resolve(model.editor_rating);
                    });
                });
            });
        };

WebAjaxPostOrderRatingsController.php (controller)

<?php

namespace App\Http\Controllers;

use Illuminate\Http\Request;

class WebAjaxPostOrderRatingsController extends Controller
{
public function handle(Request $request)
{
    $order = $request->input('orderId');
    $models = \App\Models\Rating::where("order_id" ,"=", $order)->get();
    if($model === null){
        return response()->json(['models' => $models, 'errors' => []]);
    }
    return response()->json(['models' => $models, 'errors' => []]);
}

}

Rating.php (model)

namespace App\Models;

use Illuminate\Database\Eloquent\Model;

class Rating extends Model
{
    //
    protected $table = 'ratings';


    public function save(Array $options=[])
    {
        $errors = [];

        if(strlen($this->rating) === 0)
            $errors['rating'] = 'invalid rating';

        if(count($errors) !== 0)
            return $errors;

        parent::save($options);
        return [];
    }
}

VerifyCsrfToken.php (CSRF protection)

<?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;

class VerifyCsrfToken extends Middleware
{
protected $addHttpCookie = true;

protected $except = [
    //
    '/ajax/orders/list',
    '/ajax/orders/edit',
    '/ajax/orders/view',
    '/ajax/orders/reject', 
    '/ajax/orders/submit', 

    '/ajax/packs/list',
    '/ajax/packs/edit',
    '/ajax/packs/save', 
    '/ajax/packs/delete', 
    '/ajax/packs/delete-many', 

    '/ajax/users/list',
    '/ajax/users/edit',
    '/ajax/users/save', 
    '/ajax/users/delete', 
    '/ajax/users/delete-many', 

    '/ajax/biz-settings/list',
    '/ajax/biz-settings/edit',
    '/ajax/biz-settings/save', 
    '/ajax/biz-settings/delete', 
    '/ajax/biz-settings/delete-many', //added 

    '/ajax/customers/list',
    '/ajax/customers/delete', 
    '/ajax/customers/delete-many',  //added

    '/ajax/app-infos/list',
    '/ajax/app-infos/edit',
    '/ajax/app-infos/save', 
    '/ajax/app-infos/delete', 
    '/ajax/app-infos/delete-many',  //added

    '/ajax/faqs/list',
    '/ajax/faqs/edit',
    '/ajax/faqs/save', 
    '/ajax/faqs/delete', 
    '/ajax/faqs/delete-many',  //added

    '/ajax/user-guide/list',
    '/ajax/user-guide/edit',
    '/ajax/user-guide/save', 
    '/ajax/user-guide/delete', 
    '/ajax/user-guide/delete-many',  //added

    '/ajax/user-ratings/list',  //added

    '/ajax/order-ratings/list',  //added
];

}

web.php (routes)

/*
|--------------------------------------------------------------------------
| Web Routes
|--------------------------------------------------------------------------
|
| Here is where you can register web routes for your application. These
| routes are loaded by the RouteServiceProvider within a group which
| contains the "web" middleware group. Now create something great!
|
*/

// prevents unauthorized access
$c = [ \App\Http\Middleware\WebAuthMiddleware::class ];

Route::get('/', function () {
    die('please go to https://quickenow.com/login');
    return view('welcome');
});

Route::get(  '/try-push',  'WebGetTryPushController@handle');
Route::get(  '/push-it',  'WebGetTryPushController@handle');

Route::get(  '/privacy-policy',        'WebGetPrivacyPolicyController@handle');
Route::get(  '/terms-and-conditions',  'WebGetTermsAndConditionsController@handle');

Route::post( '/ajax/user-guide/list',   'WebAjaxPostUserGuideListController@handle')->middleware($c);
Route::post( '/ajax/user-guide/edit',   'WebAjaxPostUserGuideEditController@handle')->middleware($c);
Route::post( '/ajax/user-guide/save',   'WebAjaxPostUserGuideSaveController@handle')->middleware($c);
Route::post( '/ajax/user-guide/delete', 'WebAjaxPostUserGuideDeleteController@handle')->middleware($c);
Route::post( '/ajax/user-guide/delete-many', 'WebAjaxPostUserGuideDeleteManyController@handle')->middleware($c); //added

Route::post( '/ajax/user-guide/upload',   'WebAjaxPostUserGuideImageController@handle')->middleware($c);

Route::post( '/ajax/user-ratings/list', 'WebAjaxPostUserRatingsController@handle')->middleware($c); //added

Route::post( '/ajax/order-ratings/list', 'WebAjaxPostOrderRatingsController@handle')->middleware($c); //added