That is the happy path. If someone were to hijack the communication at step 3 (after post processing, but before the communication is made) .. *poof* no more download limit.
Because one would have to assume that AS downloads are aborted most frequently due to network outages and/or crashes; not someone hitting 'abort'.
to be 'fair' with a refund the held token approach, they would have to assume any non-communication back was due to this, and 'time out' the hold, otherwise crashed clients wouldn't get a 'refund' anyways.
That wouldn't be hard to game at all.
*shrug*. The more complex a system you make, the harder it is to protect. Simple is better.