I agree- this sharing workflow is incredibly unintuitive. The wording of the initial invite ("create an account to gain access") absolutely suggests that, once you complete the signup flow, you'll have access. I did this using the same email address that the invite was sent to, assuming that there would be a stored association that "once this address registers, auth it on this lock." I suppose I shouldn't have, since nothing in the invite-to-signup flow (if you can call it a flow) exists to enforce that. I think a one time token, as suggested, would be even better. That way, the signup flow would be address agnostic, in case the invite was sent to an email account I don't use much.
Anyway, even in the absence of a cohesive, usable invite signup flow, at least some language in the invite (sign up, then ask XXXX to invite you to open their lock!) would avoid this confusion.