[OB3] Able to obtain application access token with scopes not granted for application

When obtaining an application access token, the scope list sent in the token request are not validated against the scope list sent in the DCR request. The scopes not allowed for the application should be dropped when issuing the access token.

ob-internal: https://github.com/wso2-enterprise/wso2-ob-internal/issues/1303