fix(auth): disambiguate auth-denied vs missing component messages

[strawgate]

When component-level auth= denies access to a tool, resource, or prompt, get_tool() / get_resource() / get_prompt() swallow the AuthorizationError and return None. AuthMiddleware then can't tell "doesn't exist" apart from "exists but you can't see it", and it picked the worst of both: it told the caller the component was not found. A user who genuinely lacks access would chase a phantom missing-tool problem, while a global-auth denial on the very same component reports "insufficient permissions" — the two paths gave contradictory stories for the same underlying cause.

This changes the three messages to not found or not authorized. The wording is deliberately ambiguous: it stops misleading authorized-but-mistaken users without disclosing the existence of components to callers who aren't allowed to see them (the anti-enumeration property some deployments rely on). The misleading inline comments claiming get_* "raises if unauthorized" are corrected to document the real None-collapsing behavior.

mcp = FastMCP(middleware=[AuthMiddleware(auth=allow_all)])

@mcp.tool(auth=require_scopes("admin"))
def secret_tool() -> str: ...

# caller without "admin" scope, before: "... secret_tool': tool not found"
# after:                                "... secret_tool': not found or not authorized"

Addresses Bug 1 of #4054. Bugs 2–4 are out of scope here (Bug 4 is handled in #4078).