Orphaned token exists after attempting to login with alt character
When a user attempts to log in with an alt character, due to #1356 (closed) this option has been disabled. However, it would appear that when we are making the checks and determine that the character is in fact an alt and decide to deny the login we never actually delete the token like we would if the attempt had succeeded. This can result in a token that is impossible for a normal user to delete, and could lock ownership to a specific user since token ownership is only actually used to generate a CharacterOwnership record and the ownership of existing tokens is never checked again.
On a semi-related note, while figuring out this bug, I noticed that we set a bunch of messages in the authenticate method in the authentication backend which are never used or displayed and should probably be removed.