Log errors for profile reactivate password submitted

[aduth]

🛠 Summary of changes

This pull request changes VerifyPasswordForm to avoid assigning personal_key on FormResponse#extra and instead assign as an instance variable accessible through a new attribute reader.

Why?

• extra is intended to be used for analytics logging and should exclude sensitive information (docs). Personal key is a very sensitive value, and while we've taken steps to ensure that it isn't logged, the previous implementation creates a lot of unnecessary risk that it could accidentally be logged in future changes.
• The aforementioned "taken steps to ensure that it isn't logged" meant that we were only logging success values for this analytics event. By removing personal key from extra, we can log the entire response using FormResponse#to_h, including errors.

📜 Testing Plan

Verify that the build passes.

Verify using make watch_events that submitting password after reactivating a profile disabled due to password reset logs the reactivate_account_verify_password_submitted event (a) without personal_key and (b) with error_details if the submission is unsuccessful.

[aduth]

This approach is also exactly what's documented in the aforementioned Forms documentation:

For sensitive properties, or results that are not meant to be logged, add properties to the Form object that get written during #submit