Yep, came back after rereading to correct my mis-assumption.

Nonce could be implied or explicit here. You could use URL itself (or its hash) but good luck with canonicalizationissues :(

Not entirely sure *payer* proof is required here, but it's good practice.