A blind-schnorr signature actually hides the hash and message from the issuer
The other important thing I forgot to say is because the issuer doesnt see the hash its more that user can prove they have a forged issuer signature that the user spent a lot of work creating (its the user that does the work not the issuer). And the user no longer needs to do the blinding and unblinding steps from 1. blinding the message, 2. having the server signing, and then 3. unblinding, he can just forge a weak signature himself at 2, an then there is no need to blind because you never showed it to anyway before. This rather analogous to the way bitcoin freshly mined coins are fully anonymous, as you dont really need to bind a proof of work to a forged signature to prove work.
There does remain some interesting new flexibility in the signature, but it does not seem to admit any new features - eg homomorphic value was already possible with hashcash without binding it to a blindable-signature.
So I think I am demoting/renaming the above scheme to be called signed-hashcash as while its true that you could blind, then do the forged signature, and then unblind (so it is a blindable signature) thats a waste of time as you're doing the blinding and unblinding all yourself the context of the user forging the signature!
We may need a different form of proof of work where the work is blindable / offloadable. Ie the user can blind a message, publish it so that miners can work on forging a blind-signature on it, and then have the users unblind it in such a way that the proof-of-work survives but in an unlinkable form.
Adam