MDL-65973 for reference.
The form lib internaly do some sesskey checks to validate a form submission (for security, mostly).
This is not compatible with WS requests so we've had to patch this via $USER->ignoresesskey
Maybe we should look for a generic solution for this at the form library? formlibs.php _process_submission() function does the sesskey check. Should we ignore the sesskey check when the global WS_SERVER is set?