See comments in revision 41.
Let's be sure we make it clear what we mean here: In some of these cases the error response is specified above. The question is whether the DE provides any additional services like quarantining the atoms or post-processing them later to see if the consumer/device ID becomes valid a bit later….
I don't see how a DE could state that it would return an error in this case: Checking each incoming atom against it's store for duplicates would be quite a burden and what would be the value? I think it is either duplicate or overwrite
If we mean 'syntactically invalid' – i/e/ not a pseudonymous key, then the DE has to return a 400 in both of these cases.