fix: enforce mfa after usable token enrollment
requested to merge peterbolha/PRX-361/enforce_mfa_when_token_usable into v3.9.1-rebase-custom-changes
Addresses problem with prematurely triggered Perun actions when user's initial token was enrolled but not usable. Changes:
- filtering criterion adjusted to address specific usable rollout states for each used token type
- triggering backchannel logout and MFA enforcement done in postpolicy (after token rollout state update)
- custom changes related to Perun operations moved from /api/token to /lib/perun to prevent cyclical dependencies (init token -> init token postpolicy -> token usability evaluation)
- custom logger adjusted to work with new changes
Closes PRX-361