A couple of things:
1. you might need to look at how comments are posted by the normal view action. at a glance you're missing some form data (id of contact?)
app/views/comments/_new.html.haml
2. You can make your code work, but only by overriding (and disabling) some of the security features for that controller action. so I would think you'd be better to roll your own endpoint to handle this - see the extension I pointed you to previously.
if you are determined to make your code work as posted, you'd change the comments controller and add something like the following
protect_from_forgery :except => [:create]
def single_access_allowed?
(action_name == "create" || action_name == " etc... if you need to whitelist other actions for http basic auth)
end