Update Token types to match privacypass.

[chris-wood]

The PrivateStateTokenV2VOPRF seems to be exactly the type1 tokens as defined in the emerging IETF standard for Privacy Pass. I understand why the PMBToken variant is slightly different, but I'm really struggling to see why we don't have alignment between the VOPRF version for PST and the VOPRF version for Privacy Pass. Is there a technical reason for this divergence? If not, can we please align them?

[dvorak42]

I believe the main divergences are:

• Token struct (missing token type/challenge_digest)
• Token verification (using the authenticator value instead of the issuedElement).

[tfpauly]

Using the standard token struct should be a very obvious change to make--the type is simple to add and useful to denote the type, and the challenge can even be synthesized if needed (other uses of privacy pass already do this).

Using proper token types also allows you to trivially work with both privately and publicly verifiable tokens.

[colinbendell]

fwiw, I took a stab at trying to enumerate the current spec differences here: https://docs.google.com/document/d/1oYeEI2rv-p5P_say6lBlNIrQjfGCep-a_DD0crAWS-A/edit#heading=h.fers8ov5jl9