Lots of InvalidAuthenticityToken errors - what's causing it?

So I’ve had this application online for about 4 months now, and ever
since launch, I get random e-mails from ExceptionNotification about
authenticity token errors. In and of itself, that’s cool, but I’m
disturbed by the number I’ve received.

Basic setup:
Rails 2.2.2
Passenger 2.2.2
Apache 2

Long story short, I’ve gone through lots of output from Exception
Notification and found no pinpoint commonality. I’ve seen user agents
from IE 6 through FF 3.5. Some are on OS X, most on Windows, and most
have MS Office installed (signs thereof showing up in the output from
EN under user-agent).

So far, my only theory is that it has something to do with the way
Passenger is spawning the application. As I understand it, a request
comes into Apache, which shuttles it to Passenger, which then shuttles
it to one of X instances of the rails application (where X is unknown
to me), depending on which is lowest on traffic. In theory, if a
user’s initial request came in for one instance, this would trigger
the error if they somehow got shuttled to a different running instance
of passenger on their next request, because their authenticity token
was generated by another running instance of the application.

And yes, I’m 99.9% sure they’re real humans causing these, and not
bots or CSRF attacks (the vast majority anyway, I’m sure we’ve had a
few bots/hack attempts, but not nearly this many).

Does this theory hold water? If not, what else do you think could be
causing so many Authenticity Token errors?