Allow supplying ones own subject token for workload identities

[mattmatters]

In conjunction with #183 we found that if we wanted to use aws as a credential source for workload identities we either would have to implement a lot of aws access token signing, role handling, local vs in the cloud logic, etc stuff in this library which felt fairly overkill, or to just handle that logic in our own application.

Given our application has all the necessary libraries to handle aws credential fetching and signing, the logical choice seems to be to just handle it all on the caller side and pass the formatted subject_token directly into Goth.