Differentiate between HTTP 401 and 403 responses

[ikattey]

The current implementation does not differentiate between HTTP 401 Unauthorized and HTTP 403 Forbidden responses.

At the moment, a HTTP 401 response is returned during request validation – regardless of whether the issue is related to authentication (missing / invalid credentials) or authorisation (missing required permissions / scopes).

This does not align with standard HTTP response code usage and could be improved.

Expected Behaviour

It should be possible to differentiate error responses based on the nature of the security failure:

• HTTP 401 Unauthorized should be returned for missing or invalid authentication credentials.
• HTTP 403 Forbidden should be returned for authenticated users lacking the necessary permissions or scopes.

[jamietanna]

Very much agreed - with #35 it'll make it easier to control this, but we should see if we can make it even easier / out-of-the-box

[legosx]

Any changes are planned here to make it work out-of-the-box?