1) Yes, the guide needed a quick refresh. The Canvas URL is not required, and we've removed that image. Thanks for pointing that out.
2) The URL in Facebook would need to be whatever Facebook would be redirected to eventually. In your case, I believe it would would need to be
XYZsite.com/, but you'll likely need to test. One of the main times when Facebook checks the URL against the domain you set are when a user logins, for the redirection page. Whatever you have set for the new (or returning user) redirection needs to be on the same domain as the Facebook application is configured. I do not believe Facebook would check if an incorrect domain would eventually redirect to a correct one, so you'd need to set this up right from the beginning.
Hope that makes sense and gets you on the right track. If you have any other questions, let us know!