Improve Model Target Web API authentication fidelity

[adamtheturtle]

Follow-up to #3191.

The Model Target Web API mock currently accepts any non-empty bearer token, and the OAuth token route only performs minimal request validation. Add verified fake tests against real Vuforia for representative OAuth and bearer-token failure cases, then update the mock to match the observed status codes and error response bodies where practical.

Acceptance criteria:

• Verified fake tests cover invalid/missing OAuth credentials and invalid bearer token cases.
• The mock returns Vuforia-like status codes and error bodies for those cases.
• Any remaining intentional auth differences are documented in docs/source/differences-to-vws.rst.

[adamtheturtle]

Additional clarification after #3191: the current tests/mock_vws/test_model_target_web_api.py::TestMockErrors coverage includes mock-only authentication/OAuth cases that were added as a pragmatic CI coverage fix. The long-term outcome for this issue should be that externally observable auth behavior is covered by verified fake tests against real Vuforia, not left mock-only unless there is a documented reason real Vuforia cannot be used.

Please include an audit of the auth-related mock-only tests and either convert them to verified fake tests, replace them with verified fake equivalents, or document why a case must remain mock-only.