Credentials should use core Pipelines

Today they use HttpClients directly. One blocker for making this change is that the core RetryPolicy returns an HttpError when it receives a non-retriable, non-2xx response (#2435), and that type expects a generic Azure error shape that doesn't match Entra ID errors. That makes it difficult for a credential using the policy to return a clear error message like "Invalid secret".