Modify logic handling denied auth state

To mesh with how other parts of the framework handle apps using APIs
when they are denied, ContextHubClientBroker should throw a security
exception when clients are in the denied authorization state rather than
returning a new error code. This is only enabled for clients targeting
S+. All other clients will receive an error code present before S
denoting an unknown error occurs so that they don't have to handle a new
exception.

Fixes: 181350407
Test: Run PTS
Change-Id: Icf828bb1c34797cf2c65a8adeb92eb83db3aaea6