Validating digitised cards and coupons in any form presents different challenges to validating their physical equivalent. It is all to easy for users to take screenshots or use tools like Photoshop to create exact replicas of any digitised content.
The share button on the pass is actually is actually a deliberate move by Apple to raise awareness and to encourage issuers to implement processes to ensure correct and valid use of passes.
You are correct that if someone shares their pass it will send an exact copy of that one pass, but think of it like this; Any updates to that pass are mirrored across all versions of that same pass on other devices, and this is both ways. So if someone redeems a coupon, gains or uses points, terminates their membership, etc. each copy of the pass will be simultaneously updated.
If you think about it, this is no different if using a physical card. I can quite easily take my friends loyalty card and add points, and in many cases I can quite easily redeem points from the same card.
For cases where it is absolutely necessary to restrict the use of the pass to a user, then there are many approaches you can take. These range from printing the cardholder's photo on the pass (or alternatively attaching it to the pass record and making it available to the cashier via the API); using secondary authentication, such as requesting a driving license, or validating the cardholder's name with the name of the credit card holder; or by use of a shared secret, such as a pin code which could be encrypted into the barcode of the pass.
If you wish to encourage sharing, but wish to avoid the use of the share button, then we have found that providing your own share link, with some incentive to share can be effective. One example we did for a client was a Facebook campaign where for every 5qualifying shares (based on age and location taken from the FB profile), a pass holder would receive a paid of movie tickets.
When thinking of the processes you want your digital value card or coupon to follow then you need to consider if you want to add restrictions, what they are, and how to enforce them. The actual process you choose will depend on your use case and the value of the pass and we have a long history of helping our clients achieve their goals.
One other consideration is that eve though passes have the capability to be dynamically updated, the information they display may not be accurate. This is especially true with tourists who may not have roaming internet access but also users who have chosen to disable updates.
Therefore it is important to have a reliable source of truth that can be queried at the point of redemption to determine/validate the true status of the pass.
All of the above can be accomplished using our API to retrieve and query the pass record, or to update, redeem, void or invalidate it.
I hope this helps, if you would like to provide more details of your plans I will be happy to provide more specific advice.