fix: port upstream changes to use Windows token in LocalAPI

[jamestelfer]

The Tailscale implementation of this functionality has changed somewhat. The update changes the way the Windows access token is retrieved, giving a better approximation of the current process' rights.

This seems to fix issues found in #13, where calling the certificate API causes the remote Tailscale daemon to shut down.

Ultimately this is a very selective port to see if the issues I was experiencing are addressed: there are other, later updates to this area that could also be ported.

Note that this change requires Go 1.23 or above. Traefik and Caddy currently meet this criteria, so this may be OK to adopt.

See https://github.com/tailscale/tailscale/pull/9049