The canister would create the ingress message and would put the request id into a Merkle tree structure as described in the section on canister signatures. In a subsequent query call to that canister, one can request the signature on the root of the Merkle tree, and the canister can also return the path in the Merkle tree. Together, those form the “canister signature”. This is exactly what we do in Internet Identity; well, we “sign” a delegation not an actual request id, but that doesn’t really matter, just do what II does but “sign” the request id instead.
That said, as @skilesare pointed out, canister signatures (and the tECDSA feature as well) together with the HTTP request feature make the restriction that canisters cannot hold neurons somewhat artificial. So maybe there is a discussion to be had (maybe first in a dedicated thread here in the forum, and maybe that could lead to an NNS proposal) about lifting that restriction.