Full matching of a vulnerability finding with its feedback requires
a comparison of the project_fingerprint, project, and category.

We were only checking the project_fingerprint, so we were reporting
undismissed feedback as dismissed if there was another dismissal
feedback that had the same project_fingerprint but was either for
another project or in another report type.

https://gitlab.com/gitlab-org/gitlab/issues/36958