Return 401 instead of 500 on use of invalid access tokens

[jkakavas]

Token Service will throw an InvalidStateException if a wrong access token is used as a Bearer token for authentication and this gets translated to a 500 error response. We should be handling this correctly and return a 401 Unauthorized instead.

Relates : elastic/kibana#22905

[elasticmachine]

Pinging @elastic/es-security

[jkakavas]

This has been resolved as part of the awesome work that @albertzaharovits did on refactoring the TokenService. I added a small test to catch any regressions in #45138

[jkakavas]

Re-opening this as it was prematurely closed. There is one case still that we throw a 500 - when the access token is valid but expired and deleted from the tokens index. This needs to be handled before we resolve this issue