In the session controller, there's no way that this line could return true: if params[:code].present? && session.delete(:state) == params[:state].

Because "state" in session is just a SecureRandom.hex(8) string. The state string returned by Apple, is completely different. Is this something that has been updated?

The state is sent to apple as part of the authorization request and then verified when the user is redirected back to the application. It's done on line 23 of the sessions_controller.