docs(config): clarify token_auth_enforced scope and session behavior

[joshtrichards]

• Resolves: # (related to [Bug]: Some users can access webdav with their password with token_auth_enforced set #50279)

Summary

Clarify the token_auth_enforced description in config.sample.php.

The updated wording makes it clearer that this option:

• applies to direct client authentication flows that would otherwise accept either a regular password or an app password/token
• applies to client-style authentication such as DAV and HTTP Basic auth
• does not affect the standard interactive browser login, even when the browser is used to authorize a client
• does not automatically revoke existing sessions when enabled
• is not the mechanism for restricting password-based browser logins, for which SSO / an external identity provider is the intended approach

Why

The previous wording could be read more broadly than the implementation supports. In practice, this setting applies to direct client credential-based authentication flows, not the standard interactive browser login flow.

It also does not retroactively invalidate existing sessions, so enabling it affects new authentication attempts rather than users with existing authenticated sessions.

Additional context

Related to #50279.

This PR is documentation-only and focuses on clarifying the scope and behavior of token_auth_enforced. Related work in #59569 (unfinished/WIP) addresses separate follow-up work around admin-level session invalidation / revocation tooling.

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)
• Labels added where applicable (ex: bug/enhancement, 3. to review, feature component)
• Milestone added for target branch/version (ex: 32.x for stable32)

AI (if applicable)

• The content of this PR was partly or fully generated using AI [used to review wording ideas and go rapidly back and forth with numerous drafts I played with to get the wording just right]

[susnux]

This seems to be AI assisted, so even though you checked the checkbox as per AI guidelines the commits have to include the AI disclosure:
https://github.com/nextcloud/.github/blob/master/AI_POLICY.md#disclosure

E.g. Assisted-by: ClaudeCode:claude-sonnet-4-6