Don't allow more than 20 failed primary authentication attempts

The following has existed in section 9.11.1 [C-SR-5] of the CDD since
Android 14: "Device implementations are STRONGLY RECOMMENDED to
implement an upper bound of 20 failed primary authentication attempts".

To align with that strong recommendation, update the SoftwareRateLimiter
to explicitly forbid additional guesses after the failure counter
reaches 20, when it is operating in enforcing mode.

Note that this has no practical impact, since any guesses after the 19th
could be made no faster than 1 per 9.09 years anyway.  The 21st could
only be made at least 22.7 years from the start.

Bug: 430642788
Test: atest FrameworksServicesTests:com.android.server.locksettings
Flag: android.security.software_ratelimiter
Change-Id: I56f4147989513ae80c56927ca91b5cbe391cc450