I've been trying to replicate the error in the reports and the only way I can find so far is to change the my $signing_secret or $ENV{'HTTP_STRIPE_SIGNATURE'}

The signature check is described here but it is a concatenation of part of the $ENV{'HTTP_STRIPE_SIGNATURE'} and the JSON payload which is encoded using SHA256 with the other part of $ENV{'HTTP_STRIPE_SIGNATURE'} and the secret as the key.

It works locally and in a web environment so it is not an issue with the way the check is implemented.

Is it possible that the JSON object in __DATA__ could change when distributed through CPAN as that would cause this fail?