Everything between checking if the user can "place-order", and then validating the inputs, and then finally creating the order.

I don't think the request object can be modified by the end user or that it is modified by the server at that point. If my belief is correct, does this code still contain TOCTOU bugs?

It's the underlying state of the database that will change between these different checks. Not the end-user modifying the request object, which is in PHP memory

Thanks for explaining it.