Short answer: Your form, let's call it X, needs to be sent back to A. A can then sign the request, and then forward it all to B.
If you are NOT sending back to A, then how does B know that the request came from A? But doesnβt know what the client sends, whom we will call Zed? The only submitted form is X in Zed and is no longer involved in the conversation.
Zed, may send anything to X that they want to return to A. Zed may be evil, or Zed may be a victim of CSRF. However, your question is only that B knows that the request comes from A. A can check the input and take appropriate action. If A wants to accept the input form X and sign the request and send to B, B then finds out that the request came from A.
This idea is similar to what OAuth 1.0a does.
Take all the form variables in X and create a URL-encoded string with keys sorted by alpha-numeric sort.
$str = "keyA=<val1>&keyB=<val2>&keyB123=<val3>";
Then hash and sign it. HMAC-SHA1 is such an algorithm to do this. For the key, you need to generate some random string of characters and numbers. Both A and B must know this value, and you must keep it VERY PRIVATE. You can then generate a signature to add B. to your request.
$signature = hash_hmac("sha1", $str, $key);
B can verify the signature for form X by following the same steps you took to create the original $str .