Add clarification of OAuth scope where needed

[kezike]

As I was implementing OAuth scopes, I realized that it was not clear how to specify access to specific entities (e.g., a specific workflow) via scope. I know now that you need to include the entity’s ID in the scope (e.g., read:/workflows/ab2719fd-d701-4854-889a-2f9568931127).

Another related advisory note that we should emphasize is that issuer coordinators should explicitly be granted access to workflows with these scopes, in order to prevent inadvertent exposure to unauthorized coordinators.

[msporny]

The group discussed this on the 2025-09-02 call and came to the conclusion that a PR should be raised to explain how the OAuth scopes should be structured.