A couple of things:
1. you might need to look at how comments are posted by the normal view action. at a glance you're missing some form data (id of contact?)
2. You can make your code work, but only by overriding (and disabling) some of the security features for that controller action. so I would think you'd be better to roll your own endpoint to handle this - see the extension I pointed you to previously.
if you are determined to make your code work as posted, you'd change the comments controller and add something like the following
protect_from_forgery :except => [:create]
(action_name == "create" || action_name == " etc... if you need to whitelist other actions for http basic auth)