Maintain map of nanoapps that are permanently denied

If a broker's authentication state with a nanoapp is "force denied"
via CLI, it's possible that a future nanoapp permissions state check
could cause the client to transition back to the granted state which can
cause issues with tests. Remove this corner case by maintaining a map of
force denials that can be used to ensure that the authenitcation state
is always left as denied.

Bug: 179948640
Test: Run PTS
Change-Id: Ibe23764fb4a2f08d521a0b5d483f7afb01e1bf4b