Reject token binding status "present" in processCreate and processGet

[ScottHelme]

Per the W3C WebAuthn Level 2 spec (§7.1 Step 6 for registration, §7.2 Step 10 for authentication), if clientDataJSON.tokenBinding.status is "present", the server must verify the tokenBinding.id matches the Token Binding ID of the TLS connection.

The library does not implement Token Binding (which has been deprecated and removed from the Level 3 spec — no major browser supports it), so it cannot verify a binding ID. Currently tokenBinding is completely ignored, meaning status: "present" is silently accepted as an unverifiable claim.

This adds a check in both processCreate() and processGet() that rejects "present":

if (\property_exists($clientData, 'tokenBinding') && \is_object($clientData->tokenBinding)
    && \property_exists($clientData->tokenBinding, 'status') && $clientData->tokenBinding->status === 'present') {
    throw new WebAuthnException('token binding not supported', WebAuthnException::INVALID_DATA);
}

The "supported" status is still accepted — it simply means the browser supports Token Binding but did not use it for this connection.

Fixes #130