GetProtectedResourceMetadataFromHeader validation always fails due to mismatched resource identifiers

[Xueyao-Huang]

Describe the bug
There appears to be a bug in the GetProtectedResourceMetadataFromHeader function in internal/oauthex/resource_meta.go that causes the validation to always fail.

In line 157, when GetProtectedResourceMetadataFromHeader calls getPRM, it passes the same URL for both purl and wantResource:
Where url is the metadata endpoint URL (e.g., https://example.com/.well-known/oauth-protected-resource/mcp).
However, according to RFC 9728, the Resource field in the metadata should contain the actual resource identifier (e.g., https://example.com/mcp), not the metadata endpoint URL. This causes the validation check at line 171-173 to always fail.

Expected behavior
The validation should either:

1. Extract the actual resource identifier from the metadata URL before validation, OR
2. Accept that prm.Resource will differ from the metadata endpoint URL

[jhrozek]

I took a stab at fixing the issue in #561, the approach is different from you described but even at the cost of changing the API (the package is just being moved from internal to pkg/) seems somewhat safer to me.