One salient property of this flow is that the first time the invitation is dereferenced, it gets bound to a concrete user. In subsequent attempts to dereference the invitation a check can be made that it is the same user (but if requirement really is that the token should be reusable by different users, then this check can be omitted).