Use token endpoint from session

[gerardsn]

the OpenID4VCI flow has multiple possible AuthorizationServers defined in the credential issuer metadata. This can be a different endpoint than derived from the did:web issuing the credential. We must use the same metadata to resolve the token_endpoint as was used to derive the authorization_endpoint or the authorization_code may not end up at the server that issued it.

The implementers draft for OpenID4VCI clarifies that the metadata should be resolved from /.well-known/oauth-authorization-server and not /.well-known/openid-configuration, so changed this too.