We have noticed that users with fresh browser session (newly opened browser), are not able to initially start a session using the given URL from the API. They are first directed to a /signing page. If they close the tab, then attempt to start the session again using the provided link it works fine.
I did a little digging and it looks like the start_url is expecting some cookies that are not initially set. But once the user has hit /signin and got some cookies, the next request works fine. We are pretty confident that this has not always been the case and are wondering if something has changed.
We are still using v1 of the API.