Require a specific tenant for confidential clients

[chlowell]

Also, just FYI / for context, both in client_credentials flow and in OBO flow, calls should not be made over "common" / "organizations".

• in client_credentials we should outright ban it, because "common" is only supposed to work with user flows
• in OBO, if you've got a multi-tenant app, the tenant should be incomming_assertion.tid

Originally posted by @bgavrilMS in #343 (comment)

The confidential.Client constructor confidential.New() doesn't require an authority and "common" is its default tenant. We could make calling New() without an authority argument a runtime error but making it a compile-time error requires a new constructor.

[bgavrilMS]

Not that you can change the tenant id when making the request, you cannot throw in the confidential ctor. You can only throw after you resolve the tenant id.

[bgavrilMS]

I think we should take this for GA.

Note that this validation needs to happen as part of AcquireToken* API, as the CCA object may be configurd with "login.microsoft.com/common" but the modified WithTenant used in the acquire method.