Thanks Dylan. When sending a user from our site (Stack Overflow Careers) to Bitbucket to get an OAuth token, they are presented with a login screen. Upon submitting their login, the CSRF error occurs. (See screen shot attached to case.)
So here's the issue: There's a discrepancy between using api.bitbucket.org and bitbucket.org/!api/, in the sense that redirecting users for authorization on api.bb.org will actually post to bb.org directly, and cause a CSRF error.