Improve error message when account is disabled

[adombeck]

I tried disabling a user in Entra ID and logging in. It shows the error message authentication failure: could not refresh token. In the log I see:

Feb 26 17:02:16 ubuntu authd-msentraid[112815]: oauth2: "invalid_grant" "AADSTS50057: The user account is disabled. Trace ID: 5f7d76c6-ec57-4833-9d29-6087922e2300 Correlation ID: 1f207b54-f311-4781-88d1-5a0f0cea3de5 Timestamp: 2025-02-26 16:02:16Z" "https://login.microsoftonline.com/error?code=50057"
Feb 26 17:02:16 ubuntu authd-msentraid[112815]: IsAuthenticated: denied

We should check the error code in the broker and return a more useful error message than "could not refresh token". Maybe we could just append the error message returned by the identity provider, if we can assume that it never leaks any sensitive information.