Fix device auth error handling

Most of the device authorization endpoints (`external_api/device_auth.rs`) should not return `Result<_, HttpError>`, since in the error case they will not be valid OAuth errors (they'll be `dropshot::HttpErrorResponseBody`).

Also investigate why (or indeed if) instrumentation doesn't work with `Response<Body>`.