To the extent that this is an issue, the server could presumably sign the document uri plus some nonce and include that signature and the nonce in the report-to uri.
A service like Report URI could trivially validate if the nonce approach were understood.
A service like Report URI could trivially validate if the nonce approach were understood.