Thanks your analysis is correct. The Ajax call to the server seems like a normal form submit and Click regenerates a different double post token.
To solve this we need a more robust check for Ajax callbacks.
Doing some research there is the de-facto standard header : "X-Requested-With: XMLHttpRequest" supported by Prototype, JQuery, Mootools, YUI, MockiKit, Dojo 1.1.
Rico is included in this list since its built on Prototype.
Here are some articles for those interested:
Please note that there is an ajax "standards" organization; http://www.openajax.org/index.php which might standardize on another header.
Implementation wise we could do Context#isAjaxRequest();