fix: deduplicate concurrent token refresh requests in Credentials

[aaguiarz]

Summary

Concurrent calls into Credentials.getAccessTokenHeader() can trigger multiple simultaneous token refresh requests when no cached token is available (or token is expired).

Impact

This creates a thundering herd against the token issuer and can cause unnecessary rate limiting or quota consumption.

Expected

Concurrent callers should await the same in-flight refresh promise so only one token exchange request is sent.

Proposed Fix

Add an internal refresh lock/promise cache (e.g., refreshPromise) and reuse it across concurrent callers.