We had the same problem (discovered when the site went into production!).
We addressed it by setting two keys:
REGISTRATION_RATELIMIT: 1000000/minute
RATELIMIT_RATE: '600/m'
As far as I can tell, these aren’t documented anywhere. I think REGISTRATION_RATELIMIT is relevant to the issue you hit. I think RATELIMIT_RATE applies to OAuth.