See #2709 (comment)

In #2632 API signature validation was added to the backend service. This same approach was used for the auth service in #2709, but it was mentioned in the linked comment that it was vulnerable to replay attacks. That was addressed in the PR for the auth service but it needs to also be patched in the backend service as well.