While trying to write better tests for https://crbug.com/919220 I discovered that at startup, if a user is already in Advanced Protection per their pref, their token (i.e. status) won't get refreshed at the appropriate time. Instead, it appears to reset the timer to 24h from them.

The net effect is that if a user opts-out of AP, their browser won't notice that until they've left the browser running for 24 continuous hours, or logged out/in. This is an edge case, but we should fix it.

At least in the unit tests, I see this call flow:
Ctor->SubscribeToSigninEvents()
 ... OnPrimaryAccountSet() -> OnAdvancedProtectionEnabled() -> resets timer to 24h

Instead, we should only reset the timer if we just recently got evidence from the server that they're still in AP.