A double check to be sure nothing is amiss I guess. I do find it strange that they can't guarantee this callback is not trigged by a response from a HTTPS source. Actually maybe they are and this fake cert is what is allowing it so they added this two phase check just in case. But this ability to verify is also kept around if you store these receipts on your server. Before you write them to your DB you can check with Apple to make sure they are legit.
Another curious thing in the video demo is the alert dialog popup box that is triggered during the fake purchase, the one with the "Like" button and "Cancel" in Russian. Perhaps the storekit receipt transmission protocol allows for injecting actions on the device such as opening alert boxes, in addition to just posting a signed JSON receipt?