Disable user_external_accounts entries when we receive 401 Bad Credentials errors

Created by: pjlast

Sometimes user tokens expire or get revoked, but they're still stored in our DB even after failing. This causes bad scenarios where a user's code host ID is linked to their account, causing repository permissions to be assigned to them, but user-centric permissions syncing fails, causing the permissions to go into a state of tug-of-war.

We should, after confirming that it does indeed work like this, mark a user_external_account as deleted/disabled or something, when we receive a 401 Bad Credentials error (or something similar, but should be status code 401). For tokens that can be refreshed, this should only happen after the refresh fails with a 401 as well.