Show friendly help if we can't find the openid session token from a validation link
The most common reason for that is initiating a login on a third-party site, creating the account in sso as part of the flow, then clicking on the activation link on another device or browser.
SO instead of sending people to a terse 404 page which causes them to fume and come file bugs which end up as dupes of https://pad.lv/1693375, the new (still a 404-code) page explains what to do and provides a link where they can validate their e-mail address out of the third-party login flow (which is the workaround we recommend anyway, after painful back and forth checking the format of the link they clicked on and referring to the cited bug)
Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/better-evil-token-instructions/+merge/367285