I vaguely recall a conversation with @jvanasco about pending authorizations being recycled across failed orders in my early testing. I think jsha chimed-in on that topic and provided the necessary clarity. Wish I could recall enough to find that topic. That part of Boulder's code might be a little more challenging to locate.
Update:
I found it!