A token proves the user let you in — not that they meant this payment.
Consent is granted once, broadly, in advance. The action happens later, specifically, at machine speed. Between those two moments lives every incident report this industry will ever write.