campaigns: use user tokens when reconciling changesets

Created by: LawnGnome

This closes #14989 (closed), and replaces #15301.

I've implemented the approach suggested by @mrnugget in #15301: instead of making Sourcer an interface, we'll instead add an optional UserSource interface that Source instances can implement by adding a WithAuthenticator method that accepts (unsurprisingly) an auth.Authenticator. At present, GitHub and GitLab support this.

I've tested this against GitHub and GitLab with auth.OAuthBearerToken user credentials, and so far, so good. The admin fallback also still appears to work just fine.

The non-admin case also works just fine:

This PR does not plumb the token through to gitserver, but that's coming soon...