Is it neccessary to request approval for every reply?
I think in many cases it would make more sense for authority to grant permission once. The representation of permission can be signed by the authority, so replier may simply add the signed representation to Note object under the replyApproval key.
This will reduce the number of network requests required to create and verify replies. In the best case the process would be the same as today, where replier simply sends Create() activity.
Permissions can be revocable. For example, there could be an expiration date after which recipient will be required to check permission validity (by re-fetching permission object from the authority).