Make Google token exchange/signed URL acquisition more robust

[athornton]

After a few months of nightly CI use, we've noticed that occasionally the Workload Identity switcheroo and/or getting a signed URL from the Google Cloud Storage backend fails.

This seems to be fairly infrequent (but more frequent than you'd expect from a Google service) (once or twice a week, and we have overnight CI runs that do git-lfs operations on dozens of repositories) and transient.

I'm creating this issue mostly as a reminder to myself to implement a retry loop inside the relevant bits of the code; it should have no user-visible impact whatsoever except to ameliorate transient git failures (no API changes). I don't think it's much work, and I'll get to it when I have a few hours free to work on it.