We were using a cookie for tracking the state in the LTI 1.3 launch but have switched to using session storage (https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage) so that it all works in Safari. This means you need to have JavaScript enabled in the browser (as the redirects are then done in JS, but these days most of the web requires JS and if the end point is a SPA you're going to need JS anyway for it to be useful.
IMS are looking towards allowing tools to use the platform to store the state in the future and this should allow the the login initiation URL and the redirect URL to be on different domains which is common when you have different endpoints for different regions (eg US/Europe/Asia) as session storage wouldn't work in that situation (but locally we don't have that problem as we use the same domain). I don't think Canvas supports this yet, but would expect it to as lots of tool vendors have this problem. There's a talk on this from IMS: https://www.youtube.com/watch?v=60QY7HxPenk
The reason you want to validate the state is so that a user can't be tricked into launching a LTI tool as a different user. If the redirect doesn't match the state with the login initiation then a user could be tricked into using a LTI as a different user (eg submitting an assignment as another user)
For some LTI tools it may be that you just say this is an acceptable risk and don't validate the state, but watch out for someone coming along in 2 years, copying the patterns you've developed and not realising there are security implications that didn't matter for the original tool, but are serious for the new one.
