The key here is that, when FB remotely pings my URL, it doesn't activate the Javascript SDK that sets up the cookies that Koala taps into.
I could have developed a different authentification method, but my first attempt failed and instead I set up the following line in my controller:
rescue_from NoMethodError, :with => :redirect_to_signin
I think this will also capture random errors like expired or destroyed cookies and a variety of other unforeseeable events, and redirect the user to the login page.
Any thoughts on the above would be very welcome.