thank you for the prompt answer but unfortunately that did not help. "Overwrite" was not checked but mapping was defined. So I set all fields to "(none)"
but that still creates linked contact for user - bottom one is the contact I manually create from the backend code, and top one is what BizForm creates and links:
I guess I will be stripping auth cookie from the frontend call then (that would work, I tested) - but that's not a good solution as it exposes my APIs to the world. I would love to know if there is a better way to address this. Thank you.