Revamp the client authentication method negotiation logic and support mTLS token binding in the client, server and validation stacks

[kevinchalet]

Fixes #2421.

This PR implements the remaining mTLS tasks that were not implemented as part of the mTLS PR dedicated to the client authentication part:

• The client, server and validation stacks now fully support mTLS token binding, even when using introspection and even for the built-in userinfo endpoint.
• OpenIddict will allow public clients to use TLS client certificates: in this case, the certificates are not used for mTLS client authentication but exclusively for mTLS token binding.
• The existing TlsClientAuthenticationCertificateSelector and SelfSignedTlsClientAuthenticationCertificateSelector options present in the System.Net.Http integration packages have been marked as deprecated, are no longer used and will be removed in a future version as they didn't allow flowing certificates dynamically, which is required for mTLS token binding using certificates generated on-the-fly (typically per user or per authorization flow).
• New OpenIddictClientSystemNetHttpContext and OpenIddictValidationSystemNetHttpContext classes have been introduced to allow flowing X.509 certificates from OpenIddict to HttpClientFactory via some targeted async-local sorcery. This is required as HttpClientFactory doesn't allow defining handler-specific options for each HTTP request (which is something we need to dynamically select the TLS client authentication certificates).
• All the event handlers responsible for overriding the client authentication methods in the System.Net.Http integration packages have been marked as deprecated, are no longer used and will be removed in a future version: the event handlers present in OpenIddict.Client and OpenIddict.Validation will now negotiate tls_client_auth, self_signed_tls_client_auth and client_secret_basic without requiring more specific handlers in the System.Net.Http integration packages.
• Some of the new APIs introduced in the previous PR have been renamed for better clarity.
• GetPublicKeyInfrastructureTlsClientAuthenticationPolicyAsync() has been updated to support resolving intermediate CA certificates, which is essential to support subordinate ACs scenarios where the organization owning the authorization server wants to allow each client organization to sign its own end certificates.