You shouldn't use urandom for crypto purposes. /dev/random is generated (on most platforms) as cryptographic strength numbers (usually from hardware), but can block if it runs out of data. /dev/urandom was created with the guarantee to never block and will use /dev/random's pool of numbers initially but can start outputting lower entropy numbers if /dev/random blocks.
itsdangerous has nothing to do with passwords. It's about signing small messages and these messages are obviously created at runtime.
> nonsense and just use a really strong secret key
That's how you should use itsdangerous: use a strong secret key.