Add guidance on the value of `WWW-Authenticate` header in 401 response

[mikekistler]

HTTP services are required to include a WWW-Authenticate header in a 401 Unauthorized response per RFC 7235:

The server generating a 401 response MUST send a WWW-Authenticate header field (Section 4.1) containing at least one challenge applicable to the target resource.

But Azure service teams currently are left on their own to decide what constitutes an "applicable challenge", leading to inconsistency in the result and possible confusion for users.

@schaabs has some concrete thoughts on good practices that we can codify into the Azure API Guidelines.