I discovered one flow where this issue could be present. It's a bit odd but I think this could happen for the developer only in the case that the application gets a timeout on your callback request and tries again. since the backend thinks it has given a good callback to the application already and the client uses the same auth code it will fail. That makes it look like it fails. Do apple reviewers have that of a shitty connection?