Only use the TokenReview API when validating service account tokens.

Not all Kubernetes users have access to the service account signing public key so this auth backend cannot be used in those cases. One solution is to force users of this auth backend to obtain the signing keys required for validation.

Another solution, which maybe more correct, is to avoid doing any extra validation outside of the Kubernetes TokenReview API.