If security nonce is not being sent in the serialized, encoded array, its not going to be received back. So it must be sent in the first place.
Actually you can not only filter the redirect uri, but entire state array thats being sent. final-redirect-uri is reliable. But it would be wise to wait the result of the fix we may come up with tomorrow.
Preliminary investigation shows the issue to be as you mentioned - for already existing WP users, if these users are registered with their Patreon email, and if they are logging in for the first time with this plugin without currently being logged into WP, it results in an unexpected case for the plugin.
Trying to connect with Patreon while already having been logged into the WP site with that user may fix the problem. But a fix must be developed for this special exception case anyway.
In any case, email matching to identify users was removed from user identification due to security concerns and it possibly wont be coming back.