When we need a bearer token, look up the configured authenticator for
the remote and ask it for tokens. Also updates the test-auth test
with to use the new test authenticator instead of the previous
env var hack.
Unfortunately we lose some error information when we pull multiple
refs, ending with a generic "something failed" error rather than the
401 error so in the p2p case we can't verify that we get the right
errors.
