fix: omit resource from OAuth refresh grants

[he-yufeng]

Summary

• omit RFC 8707 resource from refresh-token grants while keeping it on authorization-code token exchange when required
• avoid leaking Pydantic's bare-domain trailing slash into get_resource_url()
• add regression coverage for recent protocol versions, PRM-backed resources, and bare-domain PRM resources

Closes #2578

To verify

• .venv\Scripts\python.exe -m pytest tests\client\test_auth.py::TestProtectedResourceMetadata tests\client\test_auth.py::test_get_resource_url_omits_pydantic_root_slash tests\client\test_auth.py::test_get_resource_url_uses_canonical_when_prm_mismatches tests\client\test_auth.py::TestOAuthFallback::test_refresh_token_request -q --basetemp .tmp\pytest -p no:cacheprovider
• .venv\Scripts\python.exe -m ruff check src\mcp\client\auth\oauth2.py tests\client\test_auth.py
• .venv\Scripts\python.exe -m ruff format --check src\mcp\client\auth\oauth2.py tests\client\test_auth.py
• .venv\Scripts\python.exe -m py_compile src\mcp\client\auth\oauth2.py tests\client\test_auth.py
• git diff --check

[he-yufeng]

Closing this as a duplicate of #2590. I missed the existing branch when I opened this newer version.

#2590 is the better one to keep: it was opened first, has the same CI coverage green, and keeps the bare-domain resource normalization narrower by only removing Pydantic's synthetic root slash instead of stripping every trailing slash.