After some research, I’ve found instances of this problem occurring when an email client will automatically click user’s links for them. Specifically, Office 365 has been known to have this behavior. Another possibility is an email antivirus doing something similar with the link provided. Does your user’s email get verified before you actually click the link? This would be a symptom of this problem.
If you have a development tenant available you may want to try to see if you can reproduce the issue when using a mail provider that does not actually deliver the email to the end-user inbox (for example, https://mailtrap.io/).
Hope this helps! Let me know if there is anything else I can do to help.