auth: do not concatenate same token when a request is retried for a non-authorization error

while the token was being popped only on auth errors, the logic to add the token to the request was still running, the current token ending up concatenated with itself

the token is now memoized in the request and only discarded on auth errors, ensuring that connection resets won't reset the token either