Clarify Unauthorized / Forbidden Response

[independentid]

In the spec the error status reponses are specified:

401 | Unauthorized | An error message string 403 | Forbidden | An error message string

Suggest clarifying that

HTTP Status responses are always in regards to the use of the PDP decision API and are unrelated to the decision outcomes.
A status 401 from the PDP itself means the HTTP client (usually a PEP) is not authorized to call the PDP (e.g. because no authorization header was provided or was invalid). Likewise, an HTTP Status 403 being returned by a PEP to its client would normally be based on a status 200 response from the PDP containing a "deny" decision.