Similar to what appears to have happened last year, the Sandbox verifyReceipt endpoint is returning the 21007 status code that should only be returned by the production URL and indicates that the receipt in question should instead be sent ... to the sandbox URL.
Verify your receipt first with the production URL; proceed to verify with the sandbox URL if you receive a 21007 status code. Following this approach ensures that you do not have to switch between URLs while your application is tested, reviewed by App Review, or live in the App Store.
We are sending a valid sandbox receipt (validated locally on device already), along with the shared secret / password parameter, and not getting any receipt info back, just this bogus status that should only be returned by the production URL.
We could mitigate this by returning something like a failure status to our own client's request, but how are we supposed to test our code for parsing the response object when a receipt is valid? What's going on?