[random]

Authorize.net CIM integration presumes that for each non-subsequent payment it does two steps: creates a payment token and then pays using it.
So, even for "first" payment it saves a card and then use its token to pay.
The mentioned issue appears on that second action performed during the single payment process - it uses a token but doesn't provide CVV again and this fails according to the merchant account setup.

So, you need to setup the merchant account so that it will decline incorrect CVV, but still accept payments without CVV at all. Please don't worry about payments without CVV because X-Payments doesn't let the payment without it. But Authorize.net still should check that CVV is valid.