Update docs to account for unconfirmed users

[dan-klasson]

Ensure oauth users cannot login with unconfirmed account https://github.com/team-alembic/ash_authentication/issues/443

[zachdaniel]

I think we want to add some comments to highlight that these changes are only necessary if you're using the password strategy & confirmation.

[zachdaniel]

I'll let @jimsynz review, check the discord conversation for more on the issue that this addresses when combining social logins with email/password. https://discord.com/channels/711271361523351632/1275053139527204874