This indeed a know security issue from Google side, so I am going to suggest a workaround.
Along with promo code provide the users with server id generated by your server, when getting a promo purchase validate the server id and accept the purchase just once.
When using from market send the id with referrer. When using from app have your own logic to provide the server id.
Bottom line there is no other solution but some how identify the users with some sort of id.