Thanks for the tip on phpredis. I'm on 2.2.7 which is the default package on Ubuntu 16.04. I tried 3.1.1 but I couldn't get it to work with Twemproxy for some reason. Please update the thread if upgrading to phpredis 3.1.1 indeed fixes your issue!
Otherwise, I also don't have requests that go past 5 seconds based on the script execution time log I noted above (maybe one or two a week which wouldn't account for the hundreds of lock errors I'm getting). I was getting these errors before I implemented more AJAX on the site but it's definitely showing up more now as my new AJAX widget gets called more often (I log the url requested along with the lock errors).
Have you explored bypassing the session altogether for AJAX requests that require some verification but aren't too sensitive in nature by using JWT (Json Web Tokens) in browser session storage? Or at the least, my widget only runs for logged in users and is specific to a user so perhaps even just appending a csrf token to the request could mitigate someone casually trying to view someone else's widget (again, information isn't very sensitive). I'm just hesitant doing either before getting someone else's thoughts on this.
