Return correct error for missing or bad OAuth2 token
We're currently returning a 404 error if a token is bad. It should probably be a... 403? Or a 401?
We're currently returning a 404 error if a token is bad. It should probably be a... 403? Or a 401?