Ok, I tracked down the problem and, in a nutshell, it boils down to Seeking help to understand Tracker configuration for imports using import_logs.py again 
In Core\Tracker\Request::getIpString(), the IP extracted from the logs is being replaced by the IP from the headers if token_auth is not set or invalid:
/**
* @return mixed|string
* @throws Exception
*/
public function getIpString()
{
$cip = $this->getParam('cip');
Common::printDebug(sprintf('CIP is %s', $cip));
if (empty($cip)) {
return IP::getIpFromHeader();
}
if (!$this->isAuthenticated()) {
Common::printDebug("WARN: Tracker API 'cip' was used with invalid token_auth");
return IP::getIpFromHeader();
}
return $cip;
}
I think I might turn this into a bug report on github, since at the very least I think it should respect the setting for tracking_requests_require_authentication_when_custom_timestamp_newer_than.