Handle Canvas Studio admin token lookup when LMS has multiple installs

[robertknight]

Handle the case where the same Canvas Studio OAuth client is reused for multiple installs at the same LMS, and the Canvas Studio admin has authenticated using while using a different install than the one being used to launch a Canvas Studio assignment.

Previously admin-authenticated API requests to Canvas Studio used tokens associated with the same application instance as the current LTI user. In this commit that is changed to find a (user, application_instance) combination for a user who has the correct email, belongs to the same LMS, and has authenticated with Canvas Studio. If there are multiple matches, because the admin has authenticated in multiple installs, we pick the most recent.

This solution is something of a workaround for the fact that OAuth tokens in our LMS app do not correspond 1:1 with records in the external LMS. In the external LMS, tokens are keyed by (oauth_client_id, user_id). Our oauth2_token table however is keyed by (application_instance_id, user_id), and it is possible to configure multiple app instances using the same OAuth client ID.

Fixes https://github.com/hypothesis/lms/issues/6356.

---

Testing:

1. Configure application instances 8 (http://localhost:8001/admin/instances/8/) and 102 (http://localhost:8001/admin/instances/102) to use the same Canvas Studio OAuth client. These AIs are the LTI 1.1 and LTI 1.3 installs within our test Canvas instance. They have the same GUID.
2. Log in as the Canvas Studio admin, open the assignment at https://hypothesis.instructure.com/courses/125/assignments/6473, which uses AI 8, and authenticate
3. Log out of Canvas and back in as a non-admin user. The assignment should launch successfully
4. Go to the assignment at https://hypothesis.instructure.com/courses/319/assignments/6944, which uses AI 102. This should also launch successfully