If the resolver parameter is passed, but the user does not exist, all failcounters of tokens in that resolver will be increased.

This, along with other issues, was fixed in eduMFA v2.9.1.

Limiting access to /validate/check to client applications (i.e. Shibboleth/FreeRADIUS) using an authorization policy with api key required or using e.g. the reverse proxy.