tl;dr: Once again, being in a hurry will always slow you down. After forty years in this craft, the next counterexample I see will be the very first.
(See the bottom for an update.)
The reason that our token wasn't preserved from the
ResetPassword::New action to the
ResetPassword::Create action appears to be tied to the inconsistency with which that token is accessed throughout its journey.
Here's a URL fragment showing how the reset-password link might appear in an email sent to a Member: