SUPEE-9767 Magento CE 1.9.3.3 Onestep Checkout not working with Form Key Validation On Checkout enabled

My problem was caused by dynamic code (paypal plus) in the one page checkout process overwriting the fieldset element in the one step method form html - deleting or disabling (with css) the hidden form_key element.

The fix is to ensure the formkey element is not being affected by dynamic code or css. Moving the formkey code outside of the fieldset may help

<form action="" id="co-payment-form">
    <?php echo $this->getBlockHtml('formkey') ?>
    <fieldset>
        <?php echo $this->getChildHtml('methods') ?>
    </fieldset>
</form>

You can easily confirm if the form_key is being detected and sent to the one page controller by inspecting the ajax network requests in your browser as you move through the checkout methods, each method should include the form key in the ajax form data, if the form key is not there but had been patched in the Magento source code then check for external code affecting the form key element, i.e. css or dynamic client side changes.

https://gist.github.com/schmengler/c42acc607901a887ef86b4daa7a0445b

apply this patch after 9767 as you applied security patch and this patch add form keys in all required PHTML file