This is a low-priority security issue, more of a potential nuissance than a potential exploit.
The screen auth API should find a way to validate that temp tokens were really issued by the server, preventing an attacker who can see the screen during configuration, or even just guess the temp token, from impersonating the newly-authorized screen before it gets its permanent token.
This needs to work without cookies, since we're allowing a dumb client for these API requests.
For me it's not quite clear why even a temp token exists.
strictly speaking it is not necessary for the server to provide any temp token. The screen could very well just generate an authentication token on his own and display it to the user. An administrator can then just setup the screen with that token. This would solve the problem about exposing a temporary token.
Another problem is that concerto-hardware is deliberately modifying temp / auth token to recognize the screen as a hardware players, so validation might be not that straight forward