I suggest that with a successful online check, the server returns something that can be checked offline - perhaps signed with a private key, for which the application has a public key (Google public key cryptography) - so it can be checked locally, without a local copy that has enough information to create a valid local validation token.
The local check must have a start and end time, and if for some reason the token is invalid, an online check must be performed. If the token has expired recently (at the given value of the latter), and the online check failed, the system allows access to give some time delay.