RESOLVED:
For others that are having the same problem, here's what worked for me.
It appears that FB have tightened their security, which is why it was originally working.
We were working on a new release, and were using the IP address instead of the domain to access the site. A new message I hadn't seen previously started appearing in the dev console:
When using FB.ui, you should not specify a redirect_uri.
Looks like the FB api now checks the URL domain in the address field of the browser (rather than the redirect_uri) against the Site URL in the Facebook App Settings. Tested this by temporarily pointing our domain to the IP address, and running the Facebook api code via the domain loaded site, and it worked. So while we're testing before the release, I'll use http://localhost:8080
as the Site URL, then update it to the site's domain when it goes live.
Thanks to the people who helped to point me in the right direction!