We had an issue where some users were getting a "Invalid security token" error when trying to add media to H5P in the Content bank.
After quite a bit of digging, we found that basically, both mod_hvp, and core_h5p include core H5P classes, like \H5PCore, \H5PContentValidator, etc.
Each includes their own autoloader.
The problem comes in on some pages, the mod_hvp autoloader takes precedence, meaning that core_h5p\core inherits from mod_hvp's H5PCore, instead one included with Moodle. Specifically, it seems to happen (sometimes) when loading the content bank editing page, but not when ajax calls are made (I assume because the ajax calls load much few files/libraries in general).
In this particular case, H5PCore::hashToken() behaves differently between the two libraries, meaning that the token would be generated with one method, and validated with another.
Now, we rolled out a quick fix of just copying the core's version of hashToken into mod_hvp, but that doesn't fix the underlying problem of the overlapping, and unpredictable, namespace.
Another class name clash error reported in https://github.com/h5p/moodle-mod_hvp/issues/347 when running cron :