[ZD-19640] diagnostic improvement in case impersonation failed.

I think this is an oversight in bded790f. A random attacker wouldn't know the correct API token value,
so given that it matched, I think the caller should know that it was the impersonation that failed, not the authentication.

Also log this at a higher level, since this indicates a problem in SecurityRealm.