Question about secure post requests

This is the situation. I want to build a saas app. Users can register in the normal way and make 'teams'. They can then send invites to others to become part of their team. Ok, easy enough. I implemented logic for sending the invites to other people using tokens. A token is made for every invitation, and someone wanting to register to become a member of some team needs to have a url with the token as a query string. I then added middleware to check if that token was part of some invitation (by checking the database). Ok, still easy. But then I want them to only be able to become a member of some specific team that they got an invite for. I thought maybe to make a signed url for the post request like URL::signedRoute('register_member', ['team' => 3]); and add that to the action attribute in the form. Online I see things like adding a hidden input field with the value the ID of the team that is gonna be joined, but this does not seem safe. Someone could just change the team ID and become a member of another team! So what is the solution here?