I think in this case we are parsing the hash mark (#) as a fragment identifier.
The fragment identifier introduced by a hash mark # is the optional last part of a URL for a document. It is typically used to identify a portion of that document (to scroll to a specific element id).
We rebuild the URI in accordance with RFC3986, where section 3 of RFC3986 indicates the fragment must be at the end of the URI:
The generic URI syntax consists of a hierarchical sequence of
components referred to as the scheme, authority, path, query, and
URI = scheme ":" hier-part [ "?" query ] [ "#" fragment ]
So in this case we are rebuilding the URI, after adding the query parameter
code and moving the fragment identifier to the end of the URI.
If that URL is not configurable in your app, you may have to find a way to set up a html redirect to this URL from one that doesn’t have a # character - so that we’re not adding the token in the middle.