Hey @john!
You are correct, you will only receive the Deauthorization Event Notification Webhook with the Production version of your app. You can test this by installing the production version of your app via your apps publishable URL,
And then uninstalling your app on your “Installed Apps” page.
I made a simple PHP web server and was able to see the Verification Token in the request headers (when testing a Zoom event/webhook sent to my server). Here is my code:
Example 1.
<?php
error_log(print_r($_SERVER, true))
?>
Example 2.
<?php
error_log(print_r(getallheaders(), true))
?>
Just FYI your client_id is publicly available via the install url. So I would use the Verification Token to verify the requests are coming from Zoom as the Verification Token is not publicly available.
Example:
https://zoom.us/oauth/authorize?response_type=code&client_id={YOUR_CLIENT_ID}&redirect_uri={https://YOUR_REDIRECT_URI}
Happy to hear you figured it out 
Let me know if you have any other questions!
Thanks,
Tommy