I was overthinking it - I did find a simpler way of doing it.
Although the classic way at work would have been using Burp and it would have been reported as ‘broken access controls’.
Consideration is also given to how ‘real world’ an attack is - the solution for this challenge is ‘low tech’ but it’s probably more in reach of most malicious insiders than using an intercepting proxy.