Reapply "appops: Finish started proxy op when chain fails"

This reverts commit f13df157.

The original commit had an issue where we attempted to clean up ops
for preflight checks. Since in this case, we use the raw check op,
we get MODE_FOREGROUND, which was incorrectly treated as a soft denial,
instead of an accept. This impacted cases where we compared the
preflight check to GRANTED directly (uncommon, hotword specific).
It also means we would finish ops unexpectedly on preflight.

Original commit message:

A more precise version of I92060d44e666fa6725411de5d714ac0d380f42ae

This fixes an issue where we finish the op which failed permission
checks... which causes refcount mismatches again.

Instead, ensure that we finish only the proxy ops which were
*successfully* started: acheiving this by pushing the cleanup into the
checkPerm loop which iterates through the attr chain.

Technically this should also be added for appop permissions, but focus
on runtime appops for now, since that is where the security issue is.

Test: CtsMediaAudioPermissionTestCases
Test: Manual assistant/now playing
Bug: 377407253
Bug: 293603271
Flag: EXEMPT security
Change-Id: I16f82c9438083f8f64f84ba710f97539960009f1