When the DMToken is lost, enrollment recovery does not start on the subsequent chrome process start. Instead, enrollment recovery takes place on the next boot after that.

According to the comments, the reason is that when the missing DMToken is detected, it is too late (through LoginDisplayHostImpl already) for triggering enrollment. See  https://cs.chromium.org/chromium/src/chrome/browser/chromeos/policy/enrollment_config.h?l=37&ct=xref_jump_to_def&gsn=MODE_RECOVERY and the MarkEnrollmentRecoveryRequired function. See also  bug 389481  where enrollment recovery has been originally implemented.

A few options how to do this:
(1) Trigger a reboot automatically when the missing DMToken is detected (once)
(2) Forbid sign-in and show a message that the user shall re-boot
(3) Change the code so that enrollment is still possible at the tune missing DMToken is detected

Option (3) might be possible if the reason for moving force re-enrollment to next boot was availability of the serial number (which used to be only made available to chrome by the init scripts if a special serial number recovery flag file was present). This has been changed in  bug 216422  so availability of the serial number does not block enrollment recovery.