Fix OrderVersionMismatchException When Canceling Payment – Stale Order Not Reloaded in cancelPage()

Description

When canceling an offsite payment (e.g., PayPal, 2C2P), the PaymentCheckoutController::cancelPage() method retrieves the order entity from the route parameters. This order may be stale, especially if a previous cancel or payment notification request has already updated the order.

This issue becomes more likely when:

• Multiple cancel requests are triggered within a short time (e.g., user clicking "Back" multiple times)

The controller then passes this potentially outdated $order into:

$payment_gateway_plugin->onCancel($order, $request)

$checkout_flow_plugin->redirectToStep($previous_step_id)

Although cancelPage() itself does not modify or save the order, these plugin methods often do. If the $order object is stale, saving it will trigger the following exception:
Drupal\commerce_order\Exception\OrderVersionMismatchException: Attempted to save order 1234 with version 8. Current version is 10

Steps To Reproduce

1. Configure an offsite payment gateway that supports both redirect and server-side notification (e.g., 2C2P, PayPal).
2. Begin the checkout process and proceed to the payment gateway.
3. Cancel the payment in a way that triggers multiple browser-based cancel requests (e.g., double-clicking back or refreshing).
4. Observe that one request updates the order successfully.
5. Subsequent requests fail with OrderVersionMismatchException when plugins attempt to save the outdated order.

Proposed Solution

Reload the order using loadForUpdate() inside cancelPage(), before passing it to plugins. Also, update the route parameters with the reloaded order, since the checkout flow and payment plugins rely on the route-matched version.