Fixes #4482.

This PR adds support for OIDC MTLS Binding, to support cases where it is absolutely necessary to prove the access token was issued to the client who is presenting it. The client must authenticate over MTLS and the client certificate's thumbprint must match the JWT token or token introspection confirmation thumbprint.

It took a while to deal with this issue, setting up the tests was tricky, but finally, with the help from Keycloak devservice, inclusive authentication, certificate generation, it all got in place.

The actual source update is quite simple - if the access token must be certificate bound then the MTLS certificate thumbprint is stored in the routing context when the bearer access token is about to be verified, and then it is compared to the JWT token or token introspection confirmation `cnf` `x5t#S256` thumbprint.

Docs have been updated and tests added to check:

• that a thumbprint is present in the JWT token
• that a thumbprint is present in the token introspection
• that a client which is configured to use the client secret authenticator in Keycloak can access Quarkus endpoint which does not require a certificate binding over MTLS, but fails to access the endpoints where the certficate binding is enforced