In my default configuration (an MVC website, not a desktop application), the FDT uses the session key in the MD5 hash computing the signature.
...in both case useSession = true;
Force this to useSession = false and, voila, no incorrect signature error, and all is, momentarily, right with the world.
So, knowing what to look for I grabbed a bit of code from brianromanko here, and stuck that under both the sync and asyc methods above:
Why this is creating a DesktopSession, and how to stop it, I have not yet determined.