Got the same behavior as TS saw. At least the 1) till 5) that is. But my solution was different.
In my case a security plugin Bulletproof Security (BPS) rated the request from the Google authentication page as malicious and gave the 403. Security Log of BPS said so.
Solution was to add a BPS Custom Code Skip Rule in the wp-admin htaccess file for the specific request that showed up in the security logs.
