See crbug/897973 for context.

TouchIdAuthenticator::Available should verify that binary has a keychain-access-group entitlement whose value matches the one in AuthenticatorConfig. IIUC, this should be possible by crafting a codesigning requirements language string and passing it to https://developer.apple.com/documentation/security/1396726-seccodecheckvalidity?language=objc.

If the check fails, IsUVPAA=false and the authenticator is never instantiated.

Note that this check needs to work for embedders (who will have a different keychain-access-group), so we cannot just hard-code a value to check for.