The per-cloud OAuth2 endpoint templates carry a `{}` placeholder for the
Databricks account id (or Azure tenant id) that was never substituted, so
auto-detected authorize/token URLs were emitted as `.../accounts/{}/v1/...`.
The authorization-URI methods also unconditionally overwrote a fully-resolved
`authorization_request_uri` supplied via DATABASE_OAUTH2_CLIENTS.
- Add `_resolve_oauth2_endpoint`: substitutes `account_id`/`tenant_id` from the
database extra into the template, or raises OAuth2Error when absent instead of
issuing a request to an unresolved endpoint.
- Preserve a configured `authorization_request_uri`; only auto-detect/resolve
when none is set.
- `get_oauth2_token` has no database context to auto-detect, so fail fast on a
missing `token_request_uri` rather than POST to `.../{}/v1/token`.
- Cover auto-detect/resolve, preserve-configured, and fail-fast paths for both
the native and Python-connector specs; document `account_id`/`tenant_id`.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>