[OBO] End‑to‑End OBO & RLS Validation

Validate full end‑to‑end delegated identity behavior including SQL RLS.

- Validate:
    1. SUSER_NAME() reflects delegated user
    2. RLS filters rows per user
    3. guest/B2B users succeed
    
- Validate HTTP mapping
   1. invalid/missing token → 401
   2. missing identity claims → 401
   3. OBO failure → 401
   4. SQL permission denied → 403