mcp: delete upstream oauth2 token (#5707)

## Summary

Adds `POST /.pomerium/mcp/routes/disconnect` that allows an MCP client
application to request upstream OAuth2 tokens to be purged, so that a
user may get a new ones with possibly different scopes.

## Related issues

Fix
https://linear.app/pomerium/issue/ENG-2545/mcp-user-should-be-able-to-purge-their-upstream-oauth2-token

## User Explanation

<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->

## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review

internal/mcp/storage_test.go

@@ -102,5 +102,14 @@ func TestStorage(t *testing.T) {
 
 		_, err = storage.GetUpstreamOAuth2Token(ctx, "host", "non-existent-user-id")
 		assert.Equal(t, codes.NotFound, status.Code(err))
+
+		err = storage.DeleteUpstreamOAuth2Token(ctx, "host", "user-id")
+		require.NoError(t, err)
+
+		_, err = storage.GetUpstreamOAuth2Token(ctx, "host", "user-id")
+		assert.Equal(t, codes.NotFound, status.Code(err))
+
+		err = storage.DeleteUpstreamOAuth2Token(ctx, "non-existent-host", "user-id")
+		assert.NoError(t, err)
 	})
 }