fix: attempt to query resource-specific protected resource metadata before root PRM

[LucaButBoring]

Currently, the resource-specific protected resource metadata endpoint is not queried to discover RFC 9728 metadata, which is incorrect per the specification.

Given an MCP server at https://example.com/mcp, the PRM must be located at https://example.com/.well-known/oauth-protected-resource/mcp. However, no matter what path the MCP server is hosted on, the SDK currently attempts to discover PRM at the root, e.g. https://example.com/.well-known/oauth-protected-resource. This breaks compatibility with any MCP server with authorization hosted outside of the root, unless the MCP server is double-hosting metadata to account for this.

This PR attempts to handle both cases (giving consideration to the existing behavior potentially being expected now) by querying the most specific resource path first, and then falling back to the existing behavior in the event that PRM is hosted at the root path instead. This is the same behavior used in the TS SDK.

Note that this fallback behavior is not actually spec-compliant, I've only implemented it this way to account for the possibility that some MCP servers are non-compliant to match the client SDK.

Motivation and Context

Fixes compatibility with spec-compliant MCP servers.

How Has This Been Tested?

Unit tests. TODO: spot check against example server (putting implementation out now for early feedback)

Breaking Changes

None.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

#1052

[LucaButBoring]

Closing in favor of #1071 which was just merged.