Include validation error in response challenge

Per RFC 6750 error responses should include one of three error codes and an error description.

See https://www.rfc-editor.org/rfc/rfc6750#section-3.1

Renamed isAuthorized() function authorize() and refactored it to return an error instead of bool.

The request handler, in turn, checks for an error from authorize() and includes the correct error and error_description attributes in the "WWW-Authenticate" response header.