No, let’s not involve any additional cryptography here. It’s merely a problem of state synchronization, where the instance that the group is on contains the authoritative state. Remember: treat ActivityPub like an API, this makes reasoning about it a whole lot easier. Your Create{Note} is an API call where you ask the group to add a post to its wall, group’s Add{Note} is its API call to its followers to update their cached states.
Well, there’s a spec… And I have some test cases from Mastodon. Here’s a topic of mine where I discuss LD-signatures in detail: