Unfortunately, as you have discovered, calling a wildcard at the end of your URL will not work and can make your application vulnerable to attacks. A redirect_uri with the value of https://www.domain.com/staff/staff.php?Staff=88888A would be considered valid even if there were no staff with that value.
Some options around this would be to:
Include each URL to the list of Allowed Callback URLs as there is no limit on the number of callback URLs.
Redirect to a common URL such as the app’s home page
Here are some helpful resources for your reference: