Good news again 
I’ve solved the problem by setting the nonce parameter as the topic_id of the form, which is then included in the returned payload and loads the correct form.
It now works, hurrah - http://tell.edgeryders.eu
The last remaining feature to implement is to save the user_api_key in local storage so users don’t have to re-authenticate again.
In general terms, this is how it works:
- A private RSA key is read from the .env file
- The application generates a public key from this, which is included in a url parameter (along with api scopes, nonce, redirect url) to the endpoint
https://edgeryders.eu/user-api-key/new - When the user is sent to this url and authenticates, Discourse sends a payload encrypted with the public key back to the application
- The application decrypts the payload containing the user API key (using the private key) which is then used to post the topic to the platform
It sounds a bit simple, but it was a pretty long and windy road to get it working. The upshot of this is it can be used now for many other purposes, we’ve got a working solution for interfacing with the platform from a front end application.
I have also published documentation for anyone who needs to set up a form here.