Update API authentication with MCP scopes

[TWilkin]

• Add MCP-specific JWT scoping: Extend JWT claims to include MCP audience and granular scopes (e.g. mcp:device_control, mcp:sensor_read), then enforce these scopes in existing endpoints alongside current role-based authorisation
• Create MCP token refresh endpoint: Add endpoint for refreshing short-lived MCP tokens (15-30 min expiry) to support automatic token lifecycle management in MCP server.