Probably worth tackling later, but for now it's not worth worrying about; some other implementations (e.g. Misskey's) look to have the same behavior anyways.
Status reactions had an API similar to that of
announcement reactions, using PUT and DELETE at a
single endpoint. I believe that for statuses, it
makes more sense to follow the convention of the
other interactions and use separate POST endpoints
for create and destroy respectively.
Turns out the strange error where it would delete
the wrong reaction occurred because I forgot to
pass the emoji name to the query, which resulted
in the database deleting the first reaction it
found. Also, this removes the unused set_reaction
callback and includes the Authorization module for
the status reactions controller.