To log chrome key creation, below [1], add 
  LOG(ERROR) << "AddKeyEx label=" << key_def.label << ", secret=\"" << key_def.secret << "\"";

To log chrome key validation, below [2], add
  LOG(ERROR) << "CheckKeyEx secret=\"" << secret << "\"";

To validate this check succeeded, adding logging to [3]. You can also set `success = false;` to prevent the device from unlocking, which validates that this call is what allowed the device to unlock.

Then, try to use check_key_ex from the command line. It always fails even when given the right secret.
  $ cryptohome --action=check_key_ex --key_label=pin --user=<user>
    <paste the secret from either log line above>

You can validate that this is indeed running checks again the pin label, because if you try it 6+ times the PIN will become timed out on the lock screen (though make sure to re-lock the screen, because with cryptohome-based PIN chrome only checks if PIN is valid on displaying and after submitting a PIN).

I suspect check_key_ex is hashing the key to support password-based authentication. Perhaps the password hash should be disabled when a specific key is given, or it should understand how PIN is hashed?

1: https://cs.chromium.org/chromium/src/chrome/browser/chromeos/login/quick_unlock/pin_storage_cryptohome.cc?l=207-223&rcl=622107104815cb5dea41fdac324da6eee55fd53c
2: https://cs.chromium.org/chromium/src/chrome/browser/chromeos/login/quick_unlock/pin_storage_cryptohome.cc?l=277-284&rcl=622107104815cb5dea41fdac324da6eee55fd53c
3: https://cs.chromium.org/chromium/src/chrome/browser/chromeos/login/quick_unlock/pin_storage_cryptohome.cc?l=43-48&rcl=622107104815cb5dea41fdac324da6eee55fd53c