DPoP: Internal Migration to Result-Based JWT Validation

[westin-m]

Goals

• Replace the catch-all try/catch around JsonWebTokenHandler.ValidateTokenAsync (legacy) in DPoPProofValidator with the new result-based call
• Keep DPoPValidationResult as the public return type

Work

• Add src/Microsoft.IdentityModel.Dpop/Experimental/DPoPProofValidator.Internal.cs invoking JsonWebTokenHandler via the new IResultBasedValidation API and translating ValidationError → DPoPValidationResult.Failed(...) factories
• Add DPoP-specific ValidationError subclasses under Microsoft.IdentityModel.Dpop.Experimental: DPoPProofClaimValidationError (with claim name: ath/htm/htu/jti/jwk/nonce), DPoPCnfThumbprintMismatchError, DPoPNonceRequiredError
• Add an opt-in internal Task<ValidationResult<ValidatedDPoPProof, ValidationError>> ValidateInternalAsync(...) returning the typed result for callers that want it; ValidatedDPoPProof carries JkT and Nonce
• Optionally add an additive nullable ValidationError property on DPoPValidationResult so callers can introspect the typed error without touching the experimental API
• Update InternalAPI.Unshipped.txt

Tests

• Existing DPoPProofValidatorTests continue to assert DPoPValidationResult shape
• New tests assert that the typed ValidationError matches the failing claim/category for each documented error path in RFC 9449 §4.3 and §7.1

Acceptance

• DPoPValidationResult.Failed/NonceRequired/NonceValidationFailed factory output unchanged
• No new dependencies