I would do it these way:
- Create api on subdomain ( user registration, may be some checks for is email registred atc. )
- When on primary domain user has payed and filled out form – send these data to api ( on subdomain ), check, register, or alter an error.
- On primary domain you can echo eny data from api on subdomain ( just needs an api call to return data ).
Back to your question: eny solution has a holes, aldought i’m not an expert, but with iframe you give more space to work with ( for some bad guys ), but with api u have calls, wich u can check and throw an errors is fomething not right.
Whait for someone, more familiar, with security issues to answer )