That is great to hear that you are getting the options back now.
When it comes to ensuring the user cannot use the codes until after the transaction was successful the methods you described are exactly rite.
Rite now you are just populating the cart and sending the email correct? To update the order or the details of the order you can add in a store order summary or store order details server behavior. So long as you have the same order id number it will update the existing or or order details. You will just need to make sure you have a column in the table to hold the status, then when you ensure that the transaction is successful on your IPN page you use the server behavior to set the value in the column.
The last part of this would be implementing the check like you have noted, using security might be a little tricky for this. I think the easiest way to go would be to have a recordset that will select the order details based on the activation code used. You can then filter the rs to only return records where the status column is set to success or whatever value you use to indicate this. Finally you can do a check for rows in this recordset to determine if everything is as it should be, if there is a row in the rs then the verification code is correct and the status was successful.
If there are not any rows then there is a problem and you would want to redirect the user to an error page of some type.
This is almost exactly what you have posted but with some more specifics. Let me know if you have any other questions on this or run into any problems.