One further addition is to ask the kernel immediately (through Netlink) if it knows the MAC address of a new client before doing the group lookups in the database. This should make recognizing clients by their MAC addresses finally pretty reliable.
Please test this some more, but I have the feeling that this feature has become ready for inclusion in the v5.3 release.