Fixes a bug introduced in #1586 where the OAuth scope selection strategy was incorrectly passing the resource metadata URL instead of the scope from the WWW-Authenticate header.

AFAICT this breaks all Python MCP clients that connect to servers with WWW headers because it treats the URL as a scope with highest priority.

The get_client_metadata_scopes() function expects the first parameter to be the scope string extracted from the WWW-Authenticate header. However, in this case it was incorrectly passing www_auth_resource_metadata_url (a URL) instead of calling extract_scope_from_www_auth(response) to get the actual scope value.

Closes #1630