It's easy to construct invalid RandomToken / UnblindedToken / Pass instances

These model classes don't say much about what kind of opaque string value they wrap. It's easy to mix up strings in such a way that the resulting objects won't work.

Try to enforce some more constraints about the opaque string values.