Only allow documented token types for GraphQL authentication

What does this MR do and why?

Only allow documented token types for GraphQL authentication

This feature flag is cleaned up in production in 17.1 , and we have decided to backport to the last three major versions with a default-on feature flag. Since the commits are already present in 17.0, this change sets the feature flag to on-by-default.

Related to #442520 Relates to https://gitlab.com/gitlab-org/release/tasks/-/issues/11141+

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• This MR is backporting a bug fix, documentation update, or spec fix, previously merged in the default branch.
• The MR that fixed the bug on the default branch has been deployed to GitLab.com (not applicable for documentation or spec changes).
• This MR has a severity label assigned (if applicable).
• Set the milestone of the merge request to match the target backport branch version.
• This MR has been approved by a maintainer (only one approval is required).
• Ensure the e2e:package-and-test-ee job has either succeeded or been approved by a Software Engineer in Test.

Note to the merge request author and maintainer

If you have questions about the patch release process, please:

• Refer to the patch release runbook for engineers and maintainers for guidance.
• Ask questions on the #releases Slack channel (internal only).