Validate AttributionSource during unparceling.

The Bluetooth stack is just one example of an application that makes
self-calls through public APIs, which makes it very difficult to
unconditionally validate AttributionSource arguments.

(The AttributionSource is correctly defined the first time a remote
caller enters the Bluetooth stack, but we've found many cases where
Bluetooth stack calls back into itself without clearing the Binder
identity, causing validation chaos.)

This change is an attempt at gracefully solving this by performing
validation automatically as part of unparceling an AttributionSource
the first time it enters a process.  This strategy isn't perfect,
since transporting an instance inside a Bundle would risk
unparceling much later, possibly long after the calling UID
information has been discarded.  We're rationalizing that this risk
doesn't exist since AttributionSource was only added a few months
ago, and isn't being used in this way.

We still intend to circle back and provide a better strategy in a
future release for transporting AttributionSource across AIDL which
will handle the nuances of self-calls.

Bug: 188391719
Test: atest BluetoothInstrumentationTests
Change-Id: I10b198cfcd8f361e19d52f86deb7f10f05fec891