Ok, it turns out that the complete solution to my problem required two changes:
The
params
object I was passing was being preserved between requests in some cases, but apparently gets destructively modified when setting up the request. This meant that the oauth parameters were included in the next request, which interfered somehow with rauth setting it up.The only differences that I noticed were that the parameters were in a different order, but it's possible that the oauth parameters were being treated as part of the signed content and then being overwritten after the signature was generated, invalidating it. Whatever the cause, this change fixed 90% of the failures I was getting.
Resetting
header_auth
back toFalse
as suggested by maxcountryman. Even though the spec for qbo requests says to put the authentication in the header, apparently that doesn't always work. The error rate I was getting with this setting was only around 10%, but without it I'm no longer getting any signature errors.