Remove sessionToken auth strategy from subscription management APIs

[lmorchard]

Related to #706

• Subscription management APIs from PR feat(accounts): add APIs to manage subscriptions and report capabilities #819 accept sessionToken auth strategy - remove it, because we only want to use OAuth tokens here
• Ensure the docs are updated to reflect this

[lmorchard]

A couple notes here:

Can we put all of these routes under the /oauth/subscriptions path, remove the sessionToken portion of all of these and only support oauthToken? Is there a use case that requires a sessionToken to be passed? My long term personal preference is to use sessionTokens for authentication related stuff and OAuth creds for all other interactions.

And then:

Still trying to work through this one. My Hapi-knowledge is not strong, and I'm getting errors when I remove the sessionToken strategy: Payload authentication requires at least one strategy with payload support in /v1/oauth/subscriptions/plans. I'm also having trouble finding anywhere else in the auth server that just uses the oauthToken strategy as an example.

[lmorchard]

I think I just fixed the error by adding a payload: false auth option to the routes - which I swear I tried before, but 🤷‍♂️ it works now maybe?