A curfew must attribute every access event to a verified individual at a specific time. That means the verified-age token has to stay bound to the live session.
So every HTTP request needs to be authenticated and potentially logged against a robust digital identity.