Sorry, figured this one out eventually.
It’s part of a multisite setup, which I thought I had mentioned in my first post, but obviously omitted. The issue was that the site no longer had ‘force https’ enabled, which meant invites were to an HTTP url, coming in on :80, and were being redirected to the HTTPS version of the default site.
Is there any way in this configuration to avoid that? If the default site has HTTPS forced, but other sites in a multisite setup don’t, then invites will always fail (or so it seems).