Five consecutive 401s.... 

I don't think a custom attribute on each app is the right way to go. The app artifacts are cached in the MP, and AFAIK AccessEntity will read from cache. (But I haven't tested this exact scenario - you may wish to test it).  Further, it is not possible for you to  flush or circumvent the cache via a configuration flag that you apply to AccessEntity. 

You could try using  a Quota policy for this purpose, with allow limit = 5, and Synchronous=true. Use the token as the quota identifier.  In the case of 401, increase the quota.  In the case of non-401, reset the quota. Use a continueOnError = true in the Quota policy.  Check the condition afterwards to see if the quota has fired, and if it has fired, revoke the token.  

If you don't necessarily mean five consecutive 401s, but five 401s at any point, then... don't reset the quota in the case of a successful validation. 

Be careful though - the effective quota identifier always includes the proxy name, so .. you must always perform this check within the same proxy. Use a local shared quota proxy to get this behavior. (There is an outstanding feature request to change this behavior).    

If the Synchronous Quota does not work for you, then you may need to resort to an external store of data.  A database that you manage.  You'd need to call out to it , maybe via ServiceCallout, after every 401. 

Good luck.