PayPal Express Checkout Token does not exist - allowing multiple orders through

[trabulium]

Preconditions (*)

OpenMage LTS 19.4.x

1. Samesite = LAX - I can't give much further details how to replicate.

Steps to reproduce (*)

1. We've been unable to reproduce. This is on a store with over 1M orders and never seen this issue until now
2. It seems to be related to some sort of race condition. View Nginx log here:

[30/Mar/2022:13:57:12 +1100] "GET /paypal/express/review/ HTTP/1.1" "AU" 200 36096
[30/Mar/2022:13:57:23 +1100] "POST /paypal/express/placeOrder/ HTTP/1.1" "AU" 302 5
[30/Mar/2022:13:57:23 +1100] "POST /paypal/express/saveShippingMethod/ HTTP/1.1" "AU" 302 5
[30/Mar/2022:13:57:23 +1100] "GET /paypal/express/review/ HTTP/1.1" "AU" 200 36095
.....

where the saveShippingMethod hits after placeOrder but before the 302 redirect occurs (user was on Firefox).

Mage2 users seem to be reporting the same issue and a user states "SameSite = None" resolves the issue for him. We are running SameSite LAX from this merge: https://github.com/OpenMage/magento-lts/pull/1246/files

I'm not convinced this would fix the issue for us but since it's a 1 in a Million bug for us that we can't replicate, it's hard to determine.
magento/magento2#28916

Expected result (*)

1. Error is shown to the user OR
2. Order goes through without any error

Actual result (*)

1. We received 4 orders, each said they were paid (one for each /placeOrder attempt) with the same reference number from Paypal

I'm not expecting any bugfix soon on this, rather if someone encounters the issue, it can help them with pointers to debug easier.

[fballiano]

web/cookie/cookie_samesite allows you to configure the samesite, did you test with none?