success finally! I do not know what the issue was, but after deleting my server-side user and re-added that info, everything looks good.
Here is my setup, in case anyone else has problems or needs to do something similar
goal- to have a group of users review/edit some data, via a nicer looking web map app
data - map service is secure and a user named bikeped is assigned to a 'user' level role in AGS
web map- added the secure feature service to AGO web map, used AGS credentials, can view fine
- shared the web map with everyone
web app- a stand alone web app (based on the map tools template I believe) using my AGO web map w/secure service
- also shared this as a content item in AGO, but per Jake this is not necessary (and I will probably delete it)
web app- user goes to my URL , types in the the AGS credentials. and we are in business!
Thanks for the help- I hope this info helps another person trolling the forums for answers:)