Here's something you could do:
Upon the buyer's first visit to your redirection landing page, save the GET value for 'txn_id' at your end and set a cookie in the buyer's browser with a value set to that ID (or maybe a hash of it, possibly incorporating other values from HTTP headers identifying the buyer's browser, OS, etc., thus making the cookie harder to forge on another computer).
If the 'txn_id' value in the URL for any visit matches an ID already stored at your end, look for the cookie indicating the original buyer is merely re-accessing their page; otherwise, if the cookie is absent, refuse to grant access.
If this blocks a legitimate buyer because they have cleared the cookie or are using a different computer or browser, you can simply delete the 'txn_id' from your end to allow the buyer to visit the URL and set a new cookie.