Adding static scoped tokens to file config

[eriktate]

This PR adds the ability to define static, scoped join tokens within the file config. It works very similarly to unscoped static tokens but requires just a little more structure.

Here's an example showing unscoped and scoped tokens defined side by side:

auth_service:
  enabled: yes
  tokens:
    - node:foo
  scoped_tokens:
    - token: node:bar
      scope: /foo/bar

Unscoped and scoped tokens can both be defined in the same auth_service block. The scope configuration defines which scope will be applied to resources provisioned using the bar token. The scope of the scoped token itself is set to scopes.Root. I considered adding configurations for both scope configurations, but it seemed like a better UX not to worry about the token resource's scope and scoped.Root seems appropriate for something defined at the file config level.

Joining with a static scoped token should work exactly like an unscoped token or a regular scoped token provisioned with tctl scoped token add. Once the node has joined, its host certs can be inspected to confirm that the AgentScope property has been assigned.