I’d just like to back this up.
The more I’ve looked at this problem in a number of vaguely similar contexts - anonymous or pseudonymous participants, with payment desired to present DOS and the snooping that can come from DOS (in LN case, probing etc.) - the more I’ve come round to the idea that, while this “2 layer payment” system looks ugly in complexity, it’s somehow the right way to do it. The separation of the buying event from the payment event afforded by these ecash credentials is exactly what you want, I think. It actually gives you more flexibility to use cryptographic primitives that suit this exact problem, rather than the ones in e.g. bitcoin (which LN inherits) which are not particularly suited to this problem.
I do realize it looks heavy (per node economic relationship etc) but I suspect it’s less so than it seems (as @nothingmuch already argued).