BB2-3484: Long term fix for scope creep

[loganbertram]

JIRA Ticket:
BB2-3484

What Does This PR Do?

Adds a backstop check for demographic scopes to fix scope creep issue.

What Should Reviewers Watch For?

Ensure that the input/output states of the API correspond to the states enumerated here. Ensure that the API, especially scopes and permissions, behave as expected without additional side-effects.

If you're reviewing this PR, please check for these things in particular:

Validation

The unit test changes represent the real changes in behavior desired, so they provide strong validation of the update, but manual testing should confirm this comprehensively.

What Security Implications Does This PR Have?

Please indicate if this PR does any of the following:

• Adds any new software dependencies
• Modifies any security controls
• Adds new transmission or storage of data
• Any other changes that could possibly affect security?

• Yes, one or more of the above security implications apply. This PR must not be merged without the ISSO or team
  security engineer's approval.

Any Migrations?

• Yes, there are migrations
  • The migrations should be run PRIOR to the code being deployed
  • The migrations should be run AFTER the code is deployed
  • There is a more complicated migration plan (downtime,
    etc)
• No migrations

[jimmyfagan]

Looks good, tested this, and while this still results in less-than-ideal behavior when Demographic scopes are requested and granted without non-demographic scopes, this will prevent the creation of the problematic token types.