open-payments client should validate management url format

[sabineschaller]

Anytime we return an access_token in the open-payments client (grant creation, grant continuation, token rotation), the access_token format should always match the format: ${grant.authServer.url}/token/${grant.managementId}.

Related thread

Note: because the client validates responses against the spec, we can also add a regex to the spec directly for checking this, something similar to how we define the pattern for receiver: pattern: '^(https|http)://(.+)/incoming-payments/(.+)$'.