Harden resend throttling

Over in #87531, we're about to roll out a protection against using our "resend email verification" feature to mail-bomb a third party. However, [email protected] and [email protected] are not unlikely to fold down to the same address. In order to close that loophole, I suppose we'd need to either implement email address parsing—but what folding rules are we going to observer?—or throttle based on the authenticated user and not the `to` field, as @rohitpaulk suggested over on #87531 for other reasons.