Validate service account tokens before executing the 'op' cli command

[zcutlip]

The format of the service account token is now documented here.

It should be relatively straightforward to decode and do some basic validation of a service account token prior to ever executing op.

This is in line with our goal of catching specific, precise errors without op reporting them, which is less precise, and requires scraping stderr.

There is currently an exception, OPCmdMalformedSvcAcctTokenException, which represents a malformed service account token as reported by op

We can add a new exception that represents a malformed service account token that we detect on our own