Send Request Signature as an HTTP Header
Please consider providing the timestamp, token and signature as http headers. Some frameworks such has JAX-RS provide the ability to validate an incoming request via interceptors. This is difficult to do with form data as it is processed later in the request.
Ideally this would be done similar to Twilio https://www.twilio.com/docs/security
Based on this we could verify the request before actually decoding the form data.