I think that code should check if current booking status is unconfirmed before actually confirm it.

In publicbookings.public.inc (public_confirm callback) I've made some minor changes

  $sql = "SELECT pbc.email, bres.name AS resourceName, brec.start, brec.end, brec.name AS eventName, pbc.record_id, brec.resource_id" .
         [...]
  if ($client == FALSE) {
    return '<p>'.t('Invalid passphrase. Verify the link in your confirmation email.').'</p>';
  }
   else {
    [...]
  }

replaced by

  $sql = "SELECT pbc.email, bres.name AS resourceName, brec.start, brec.end, brec.name AS eventName, pbc.record_id, brec.resource_id, brec.status " .
         [...]
  if ($client == FALSE) {
    return '<p>'.t('Invalid passphrase. Verify the link in your confirmation email.').'</p>';
  }
   else if (BOOKINGSAPI_STATUS_UNCONFIRMED != $client['status']) {
    return '<p>'.t('This booking request has been confirmed already. Please, wait for an admin to finalize/deny your request.').'</p>';
  }
   else {
    [...]
  }