Your best bet is to look where that is verified and work backwards from there:
I would assume the URL parameter is working fine so I would probably start with checking into how sessions are working in your environment, maybe add some additional logging to catch more information about the error.
Something that just came to mind … can you visit your callback URL directly? And, if so, does it throw that same error if you leave off the necessary code
and state
parameters? Would there be any way that someone could get there, maybe even a bot?