TYPO3 Core

Just saw this in the doc section of \TYPO3\CMS\Fluid\ViewHelpers\FormViewHelper::renderHiddenReferrerFields() where values are serialized before being added to the form and returned to the user:

/**
     * Renders hidden form fields for referrer information about
     * the current controller and action.
     *
     * @return string Hidden fields with referrer information
     * @todo filter out referrer information that is equal to the target (e.g. same packageKey)
     */

Please see the @todo part. Seems a solution has been planned but not yet implemented. Also, the arguments to be serialized do not contain packageKey . But it contains the action name that holds the forwarded (old) values.

A solution that works perfectly:
In the \TYPO3\CMS\Fluid\ViewHelpers\FormViewHelper::renderHiddenReferrerFields() method, make the following slight change;

protected function renderHiddenReferrerFields()
        {
            ...
            $actionName=$request->getControllerActionName();
            $arguments=$request->getArguments();
            if(isset($argument['controller'])){
                $argument=[
                    'controller'=>$controllerName,
                    'action'=>$actionName
                ];
            }
            $actionRequest=[
                '@extension'=>$extensionName,
                '@controller'=>$controllerName,
                '@action'=>$actionName,
            ];
            ...

            $result.='<input type="hidden" name="'.htmlspecialchars($this->prefixFieldName('__referrer[arguments]')).'" value="'.htmlspecialchars($this->hashService->appendHmac(base64_encode(serialize($arguments)))).'" />'.LF;
            ...

            return $result;
        }

I was able to reproduce the described scenario and created this https://github.com/derhansen/validation_test little demo extension which covers the described steps to reproduce.

The main problem is, that the form uses the same action (to show the form and to process submitted data). By doing so, referring request data will always remain and although the DTO actually is not valid in the described 2nd form submission, the (invalid) data is still processed by the action (since this is the action to actually represent/show the validation error).

I highly recommend, that you at least have 2 different actions in your extension (e.g. newAction and createAction). The newAction is "blank" as you described and the createAction actually handles the processed data of the DTO and finally redirects the user back to newAction.

The Extbase documentation (see https://docs.typo3.org/m/typo3/book-extbasefluid/main/en-us/7-Controllers/1-Creating-Controllers-and-Actions.html#flow-pattern-creating-a-new-domain-object) describes the required flow in more detail.