It's odd that they're, essentially, fuzzing my app.

Agreed, it's curious! I wonder if they would still fuzz it if you changed the URL scheme to include the identifier as part of the URL path, rather than as a parameter? e.g., hxxp://example.com/unsubscribe/abcd1234

Please report back if you try it :-)

I could swear I've had that thing burn a one-time token for a password reset email before too, but it's hard to prove as a user. Doesn't feel great!