fix: validate PRM resource field per RFC 9728 Section 3.3

[bjoaquinc]

Motivation and Context

Resolves #1581

Adds RFC 9728 Section 3.3 validation to prevent metadata impersonation attacks during PRM discovery. Uses pre-existing check_resource_allowed() to validate origin and path hierarchy before storing metadata. Invalid metadata triggers SEP-985 fallback (already implemented).

How Has This Been Tested?

Created the following tests:

• test_reject_metadata_with_mismatched_origin - validates rejection of wrong scheme/host/port
• test_reject_metadata_with_invalid_path_hierarchy - validates path parent/child relationships

Updated:

• Existing test test_auth_flow_with_no_tokens updated to use valid resource field

Ran all tests in tests/client/test_auth.py to ensure they all pass.
Tested manually as well using examples/clients/simple-auth-client/mcp_simple_auth_client and examples/servers/simple-auth/mcp_simple_auth

Breaking Changes

None.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context