BearerTokenAuthenticationPolicy should support CAE token revocation challenges by default

[christothes]

This feature entails adding CAE support for all clients lacking a custom challenge handler i.e., everyone except Key Vault and Storage.

Adding support involves adding logic to your BearerTokenAuthenticationPolicy such that it does the following:

• Detects when a CAE challenge is issued (401 response with a WWW-Authenticate header)
• Parses the WWW-Authenticate header (format here)
  • validate that the error value is "insufficient_claims"
  • capture the claims value and decode it from base64 encoding to a string
• Pass the string value of the un-encoded claims to the TokenCredential via the TokenRequestContext or equivalent for your language via the Claims property
• Ensure that any local token caching is bypassed in the policy when the claims are populated from a CAE challenge
• Authorize the original request with the new token and send it through the pipeline again
• Return any response to the caller (don't try to handle a second challenge)

Example PRs: https://github.com/Azure/azure-sdk-for-go/pull/23414 https://github.com/Azure/azure-sdk-for-net/pull/46277

[ahsonkhan]

This feature is blocked on MSAL support for CAE in C++.

We can handle the following in BearerTokenAuthenticationPolicy within Azure::Core and invalidate the token in that policy whenever we see a 401:

Detects when a CAE challenge is issued (401 response with a WWW-Authenticate header)