Don't fallback to anonymous user when anonymous access is enabled for invalid access token/api key

[jkakavas]

Currently, when anonymous access is enabled, a request with an invalid/expired/wrong access token or an API Key would fallback to being authenticated as the anonymous user, as if the request wouldn't contain any Authorization header. This might be a confusing behavior for users and we should be explicit in our responses about treating no credentials and wrong credentials differently, even when anonymous access is enabled.

[elasticmachine]

Pinging @elastic/es-security (:Security/Authentication)

[kobelb]

Hey @jkakavas, is there any chance of getting this addressed for 7.6? Otherwise, any of Kibana's token based auth providers aren't going to work properly after a token expires for long enough that it's purged from the .security-tokens-7 index and anonymous access is enabled. This is compounded by the fact that Cloud uses an anonymous user that has no privileges.