Accidentally/intentionally sending data to the wrong client
You can mitigate this by using non-sequential, random UUIDs as account IDs. For example, if an account ID looks like 100001, then someone might try using the account ID 100002; however, if the account ID looks like
c3f80e491d44cd91664a0459a0777ed01, it's statistically unlikely that someone will be able to send data to an unknown account.
Intentional spam/fictional submissions
This is a problem with any form that stores data on the internet; I'm not aware of any way around this without help from some server side code.
You can generate a one-time token to be included with the json payload - this can be something like a dated JWT token secured via HMAC, or a set message encrypted with a shared secret key which would then be de-duped by the SAAS server.
If you're going to start involve server-side programming, then this additional negotiation process becomes a bit irrelevant - it's far easier to the just give the e-commerce site an API key, and let them post the customer information over when they receive an order.