[Doc] Clarify that databricks_token and databricks_obo_token could be used only with workspace-level provider (#4480)

## Changes
<!-- Summary of your changes that are easy to understand -->

Resolves #4458

## Tests
<!-- 
How is this tested? Please see the checklist below and also describe any
other relevant tests
-->

- [ ] `make test` run locally
- [x] relevant change in `docs/` folder
- [ ] covered with integration tests in `internal/acceptance`
- [ ] using Go SDK
- [ ] using TF Plugin Framework

Author: alexott

NEXT_CHANGELOG.md

@@ -14,6 +14,7 @@
 
  * Add an example for Databricks Apps permissions ([#4475](https://github.com/databricks/terraform-provider-databricks/pull/4475)).
  * Add explanation of timeouts to the troubleshooting guide ([#4482](https://github.com/databricks/terraform-provider-databricks/pull/4482)).
+ * Clarify that `databricks_token` and `databricks_obo_token` could be used only with workspace-level provider ([#4480](https://github.com/databricks/terraform-provider-databricks/pull/4480)).
 
 ### Exporter
 

docs/resources/obo_token.md

@@ -3,7 +3,11 @@ subcategory: "Security"
 ---
 # databricks_obo_token Resource
 
-This resource creates [On-Behalf-Of tokens](https://docs.databricks.com/administration-guide/users-groups/service-principals.html#manage-personal-access-tokens-for-a-service-principal) for a [databricks_service_principal](service_principal.md) in Databricks workspaces on AWS. It is very useful, when you want to provision resources within a workspace through narrowly-scoped service principal, that has no access to other workspaces within the same Databricks Account.
+-> This resource can only be used with a workspace-level provider!
+
+This resource creates [On-Behalf-Of tokens](https://docs.databricks.com/administration-guide/users-groups/service-principals.html#manage-personal-access-tokens-for-a-service-principal) for a [databricks_service_principal](service_principal.md) in Databricks workspaces on AWS and GCP.  In general it's best to use OAuth authentication using client ID and secret, and use this resource mostly for integrations that doesn't support OAuth.
+
+~> To create On-Behalf-Of token for Azure Service Principal, configure Terraform provider to use Azure service principal's client ID and secret, and use `databricks_token` resource to create a personal access token.
 
 ## Example Usage
 

docs/resources/token.md

@@ -3,6 +3,8 @@ subcategory: "Security"
 ---
 # databricks_token Resource
 
+-> This resource can only be used with a workspace-level provider!
+
 This resource creates [Personal Access Tokens](https://docs.databricks.com/sql/user/security/personal-access-tokens.html) for the same user that is authenticated with the provider. Most likely you should use [databricks_obo_token](obo_token.md) to create [On-Behalf-Of tokens](https://docs.databricks.com/administration-guide/users-groups/service-principals.html#manage-personal-access-tokens-for-a-service-principal) for a [databricks_service_principal](service_principal.md) in Databricks workspaces on AWS. Databricks workspaces on other clouds use their own native OAuth token flows.
 
 ## Example Usage