hs-v3: Service can pick more than HiddenServiceNumIntroductionPoints intro points

During my testing of #30200 (moved), I ended up with service descriptor with 4 intro points even though HiddenServiceNumIntroductionPoints is set to 3 (default).

Further investigation confirmed this by adding a log in the decode_intro_points() function which showed me 4 intro points.

I haven't found out why but one feature of HS is that we launch HiddenServiceNumIntroductionPoints + 2 intro circuits in parallel and the first one to finish are picked.

It appears that more than the defined value can finish at the same time and will be picked.