So a follow-up as to how things were resolved.

Thankfully, the structure of the underlying billing objects was such that the CC was only ever going to be billed once. Additional checking in the run-mode was added to check for a double-submit, but it may not have caught this error (because two requests were coming in simultaneously, the DB might not have been updated in time). That said, a second user click is now addressed properly in the CGI, not just in the underlying API.

Additionally, the form submit was changed from a GET method to a POST method. While it won't explicitely protect against the user double-click, it will throw up the "Are you sure you want to re-submit?" message in most modern browsers. At least it will make the user think twice about their actions.

Thinking about things further, it can be viewed as a cautionary tale for developers who have other people handle the HTML in their templates. The original templates I developed contained template logic & minimal HTML only. When I handed them off, I had tested the app fully, it worked as expected. But I made the mistake of not carefully testing it when I got the templates back (only cursory checks). One of the reasons this took so long to debug was that it never occured to me that the fancy HTML added later could be the culprit. From now on, I'll be vetting every template that someone else touches.