The Auth service API rate limiter is too strict on per-session MFA requests #63549
Description
The per-rpc rate limiter in the Auth middleware has a special case with very tight limits for /proto.AuthService/CreateAuthenticateChallenge, since it's used by unauthenticated clients (albeit through the Proxy) for headless auth, but it's also used for per-session MFA, and tsh ssh specifically will call the rpc when connecting to any node (in parallel with a more direct connection) to minimize the amount of roundtrips necessary, ignoring any "MFA is not required" errors. This, however, means that multiple tsh ssh invocations in parallel will quickly exhaust the rate limit, resulting in misleading errors being shown to the user if there's any other problem with the connection.
Since the stricter rate limit is only necessary for requests from unauthenticated sources, we should allow authenticated users to call CreateAuthenticateChallenge with regular API rate limits. It should be fine to remove the special case in the interceptor-level limiter and run a dedicated rate limiter in the implementation of CreateAuthenticateChallenge, that's only hit if the request is coming from a non-authenticated source.