Refactor device authenticity check in Connect and Suite

QA instructions

Device authenticity check with TS3, TS5 should work as supposed to, both in onboarding & afterwards in settings.

• genuine device with locked bootloader → success
• device with unlocked bootloader → fail
  • unless allowed in settings, then the check in onboarding should be skipped, and check in settings should fail
• device with dev key, debug keys not allowed → fail
• device with dev key, debug keys allowed → success

Device authenticity check with TS7 should always succeed until #22172 is implemented.
(I am ofc talking about production-ready TS7 with proper optiga secret, not unlocked bootloader that we use for dev)