The kernel makes no attempts to handle session referencing of a token, or in other words, the TokenSessionReference code case path is never triggered because nobody is actually calling it.
In addition to that the TOKEN internal data structure missed a very important member, the LogonSession, which is now introduced on f5dc1c7. The fact that the token has no logon session reference data and that we don't even handle session referencing of tokens can lead to inconsistencies in the kernel and subtle bugs, whatever they are.
On Windows the server side API of LSASS (LSASRV) handles the token session reference by doing whatever operation is needed and then calling NtSetInformationToken.
All in all, the steps necessary to be taken for this kind of ticket is:
1. Implement add/remove logon sessions on tokens;
2. Re-evaluate TokenSessionReference code, investigate what Windows does and if we miss something;
3. Implement token session referencing handling on LSASS side, which will communicate with the kernel;
4. Do some cleanup when necessary and check that things are working as they should.