fix(embedded-e2e): address Copilot review threads

Two narrowly-scoped fixes from the unresolved Copilot review threads on
PR #39300:

- helpers/api/embedded.ts: route getGuestToken through apiPost so the
  request picks up CSRF + Referer headers from the shared buildHeaders
  helper, instead of constructing headers inline and omitting Referer
  (Flask-WTF CSRFProtect cross-checks Referer when a session cookie is
  present). Authorization: Bearer is still passed in via options.headers.

- embedded-app/index.html: extract the catch-block error message safely
  with err instanceof Error ? err.message : String(err); browser-thrown
  values can be strings or DOMExceptions, not just Error instances.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>