Token exchange error handling

[anthturner]

Currently if the OBO token exchange fails, there is no meaningful way to tell why. This is important because one of the key reasons for failure is consent change. Since EasyAuth applications can't force-refresh their own consent (or at least, as far as I could find), users have to reset their own permissions or the admin must revoke consent for the entire tenant. This is just one potential use case -- I think it's appropriate to sanitize the error and return a useful message. For the consent issue, this might be to redirect the user to myapps.microsoft.com to clear consent.

An example error response to parse (consent mismatch, some information removed):

{
  "error":"invalid_grant",
  "error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '<<REMOVED>>' named 'AuthJanitor Administrator Tool'. Send an interactive authorization request for this user and resource. [...]",
  "error_codes":[65001],
  "suberror":"consent_required"
}

[anthturner]

Xref https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes

[anthturner]

As of #108 the Automation is moving to using Microsoft.Web.Identity to do all the token management instead of the half-and-half approach from before. Closing -- if this ends up continuing a bug, it's likely to present completely differently.