Hi, @centerm,
Right now, we don’t reveal the client IP address for this type of request. Sorry about that! I think @schoen’s analysis is probably correct.
Once accounturi binding is available in our production environment, that could be a way to prevent unwanted validation requests.