Enforce prefixing for new tokens

In https://docs.gitlab.com/ee/development/secure_coding_guidelines.html#token-prefixes we mandate that tokens are prefixed, so that they can be detected by secret detection if leaked. Now that many of our tokens have prefixes we should enforce this for new additions. This also increases efficiency: developers don't need to go back and add a prefix later, there's no worries about needing to rotate existing tokens later, no need for feature flagged rollout, etc.

Context

• Prefix all authentication tokens for easier det... (&8923)
• https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/482+

Proposal

• Introduce a rubocop for use of add_authentication_token_field without format_with_prefix
• Evaluate the failures:
  • Add to https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/482+ if remediation is warranted
  • Add rubocop::disable if it isn't

Not this proposal

• Making format_with_prefix a required parameter (that would break existing uses)