You may be way ahead of me, and it seems rather outré, but is it possible they're using some form of temporal or request-conditional protection? For example:
You must request X page and Y page before POSTing the form (the encrypted cookies might include prior requested URIs, or resulting session state from the server)
You must request X page Y n seconds before POSTing the form (the encrypted cookies might include that date/time)
You must NOT have POSTed this form previously / within a certain timeframe, with/out cookies being adjusted accordingly
Perhaps some programmer was attempting to foil automated submission or close a hypthetical attack vector.
I'm not certain whether you've already done this, but it might be worth trying a clean site visit from its front page (or as close as you have to get for form submission to work by hand) with clear cookies and cache and watching the HTTP request/response traffic from the start, to see:
- Exactly what headers a browser is sending with each request
- Which response contained the cookies in question (and what that request contained)
To do this, I'm probably preaching to the choir, but with the Chrome browser you can clear cookies, open a blank tab, hit F12 for dev tools, type a URL and then via the F12'd window, select Network and you'll see a list of all request/response pairs. Click any one and look at the request and response source text, and look for the Cookies tab which lets you see cookies both sent and received - so you can see which request yielded the cookies. Perhaps a visit to that page is mandatory/tracked.
(Googling suggests that P3P header is an electronic privacy statement and so unlikely to be related.)