fix: refresh token lookups not scope by application

This bug meant that lookups of refresh token grant were not scoping it to the application from credentials.

connected to it, token introspection wasn't protected by client authentication by default, and token revocation suffered from the same scope problem when invoked from the API.