Yes, when the email is initiated by the Lock widget (or Auth0.js) the single or double curly brace syntax appears to work as expected. When you use the “Try” feature for an email template from the Auth0 Dashboard, the email will not have a value for “{{application.callback_domain}}” because the “Try” feature is not associated with a particular client and there is no associated callback domain.
It appears that the “BadRequestError” error you are receiving when clicking the verify link is a result of trying to use the same link multiple times. The verify links are one-time use URLs.
I hope this helps.
Matt