It is more complicated to implement but what about signing the order id with the bitcoin private key and sending that. It could be easily checked on the server side, but this is a larger question of do we really want to use the bitcoin private keys for other signing?
The web server doesn't have the bitcoin private key, and the problem I'm trying to solve is an order process where the web server doesn't have to communicate with bitcoin at all to generate the "pay me" address/link.