fix: ComputeEngineCredentials.createScoped should invalidate existing AccessToken

Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:

[x ] Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
[ ] Ensure the tests and linter pass
[ ] Code coverage does not decrease (if any source code was changed)
[ ] Appropriate docs were updated (if necessary)

Fixes #1387 ☕️

If you write sample code, please follow the samples format.

As described in the original issue, this looks like a regression introduced in https://github.com/googleapis/google-auth-library-java/commit/7e268611d2c2152e84702b1c67ca846902bbe2d5 when migrating from deprecated constructor to use builder. Access token is scoped and should be invalidated when scope changes.

This is a draft for discussion, changes included:

ComputeEngineCredentials.createScoped() should invalidate existing AccessToken
ComputeEngineCredentials.createScoped(newScopes, newDefaultScopes) should respect universe domain settings.
Other credential types: e.g. ServiceAccountCredentials.creatScoped() should also invalidate existing AccessToken

TODOs:

Other GoogleCredentials subclasses that overrides createScoped().
What about credential types that do not override this method? Verify that they are credentials that do not support scopes and should return the same instance.

googleapis / google-auth-library-java