This previous post on this said to use an iFrame, but that has been broken by the CSRF tokens logic you have now. When you use an iFrame, that token is considered a 3rd party token which modern browsers have started blocking. As of writing this, Safari, iOS Webviews, and Android Webviews all seem to block it, Chrome does not.
That means I cannot embed your survey in a site with the iFrame method. Turning off that setting is not possible either as it's a "Security setting" and any reasonable customer will not allow themselves to be less secure. (One of those, shoot yourself in the foot deals)
I could really use another option for embedding surveys that would work.
Try Safari. The setting that is defaulted on which blocks this can be found under Preferences -> Privacy -> Block Cookies "From third parties and advertisers". That "third parties" part is an iFrame.
Both iOS and Android webviews also have this blocking on by default. I have not found a setting in iOS(a documented one at least) that will allow you to turn this on.
All good thoughts. We're basically going more the popup route. I was able to finally get the pass-thru values working. Not fully like it's documented, but enough. That let me passthru the info I needed on the callback URL so I can identify the session. Thanks for the help