You're asking several questions, only one of which is the legality question.
Disclosure up front: I work for CoSign.
First question:
Signing a web form digitally vs signing a document (PDF, etc) Yes, this is a common application for digital signatures. CoSign supports it. The usual technique is to first express the web form as an XML file. Then digitally sign the XML file. CoSign's SAPI api directly supports digitally signing XML files according to the W3 standard. Learn more from the SAPI programmers guide. Available from the CoSign Developers site.
Verifying the digitally signed XML file You need the ability to cryptographically verify the digitally signed XML file. You can use CoSign for this or there are many other apps which will also verify the XML files. Google for "verify xml digital signature" to see a long list. Independent verification of the digital signature's identity, intent and the document's integrity are the key advantages of using standard digital signatures.
Second question:
Any way around the high costs of personal copies of digital certs for digital signing? Issuing, tracking, maintaining, replacing and retiring personal digital certs has a very high cost, as you've discovered. This is a common (and large) downside to digital signatures using hw certs issued to the individual signers (smart cards, usb tokens, etc). The way around the problem is to centrally store the certs as CoSign and some others do. CoSign automatically synchronizes with Active Directory / LDAP etc to get rid of the support and maintenance costs of the individual hw certs.
Third question:
Do outside signers need their own account on the CoSign box? That wouldn't work. In the case of outside signers (someone outside of the organization, such as a customer/client/patient who only signs once in a great while), the signing account can be created programmatically, the XML doc signed and then the account is deleted. This is not an uncommon case. The CoSign SAPI api supports account creation/maintenance/deletion for this purpose.
Fourth question:
Is it true that "All of these signatures require the data to be stored in a document which is not ideal for many projects?" No. You can digitally sign XML docs as I explain above. Signing XML docs created from web forms is also done by Microsoft's InfoPath form system, by the IBM Forms system and by others. It is a common application for digital signatures.
Fifth question:
What are Square and other web form signing apps doing?"
In many cases they are doing ""Electronic signatures" not "Digital signatures."
Briefly, an electronic signature is a graphic representation of a person's signature. That's all that's in the document. So the document by itself has no assurance of integrity or non-reputability. Ie, someone can change the document (eg by strategically adding the word "not") and the signature would still look the same.
To add strength to the inherently weak electronic signatures, the various electronic signature services will store the document on their servers, thus providing their corporate assurance of the document's integrity etc. Your option 3 may be in this category. Square, your option 2 may also be an electronic signature. In their case, Square itself is providing the assurance that nothing was changed after signing.
Electronic signatures are generally legal in the US but you should consult a lawyer for details. It is also the case that many organizations won't accept electronic signatures due to their reliance on a third party for verification (the vendor). Electronically signed documents can't be independently verified--you need to rely on the vendor. For example, drug companies cannot submit their paperwork to the FDA with electronic signatures, digital signatures are required. Outside of the US, electronic signatures are often not acceptable again due to the inherent weakness of the technology.
Digital Signatures A document or XML file, or anything else can be digitally signed. The digital signature guarantees, through cryptography techniques, that the document was not altered (integrity), signature is non-reputable (signer identification) and the signer's statement of intent at the time of signing. Digitally signed files can be verified by anyone using verification software or apps available from many places. Digital signatures adhere to open standards, electronic signatures do not.