Comment 2 for bug 1902250

Thank you for the detailed bug report!

This XAUTHORITY check is part of the logic that migrates xauthority file into the sandbox before
starting the snap, and when doing that it performs various checks to prevent typical attack vectors. In this case it falls into:

// Ensure the XAUTHORITY env is not abused by checking that
// it point to exactly the file we just opened (no symlinks,
// no funny "../.." etc)
if fin.Name() != xauthPathCan {
  logger.Noticef("WARNING: XAUTHORITY environment value is not a clean path: %q", xauthPathCan)
...

It apparently fails because /var/run is a symlink to /run while XAUTHORITY is set to /var/run/..., so your diagnosis is correct.