Add conformance tests for authorization baseline

[nbarbettini]

Similar to #78 but even simpler, there are a number of baseline expectations that we could check without even needing a mock AS in the mix. A protected server (remote server requiring authorization) MUST always:

• Reject requests with a malformed Authorization header, e.g. Authorization: foo (https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#token-requirements)
• Reject requests with a well-formed Authorization header but a garbage access token, e.g. Authorization: Bearer foo (https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#token-handling)

And some smoke tests for poor JWT implementations - not all access tokens are JWTs, but they are common enough that these footguns are well-documented:

• Reject requests containing an unsigned JWT (no signature part)
• Reject requests containing a JWT with alg: "none" (an old trick to get around signature validation, should be rejected by all modern JWT libs)
• Reject requests containing a self-signed JWT (the presence of a signature is not enough, it must be signed with a trusted key!)

[nbarbettini]

@pcarleton If you think these are a good idea, I can knock them out!