Is deeplink an option?
It sounds like you are redirecting the user to an external site for them to login, and the external site calls back to Mendix with the token.
If the external site is passing the token as a parameter in the GET request query string, then I would setup a Deeplink to handle this request and let the developer of the external site redirect to this endpoint. In the handling microflow for the deep link you can then extract the value from the query string, and validate it as you see fit. You would need to make this token single use so the URL can’t just be bookmarked and the external site validation be skipped.
https://docs.mendix.com/appstore/modules/deep-link
Hope this helps.