fix(shared): handle banned/deactivated 403 as unauthenticated

#8004 narrowed ClerkJS sign-out from any 4xx to isUnauthenticatedError, but that helper only matched 401 and 422. Terminal 403s for user_banned and user_deactivated stopped triggering sign-out as a result.

Changes:
- Add user_banned and user_deactivated to an unauthenticated403ErrorCodes set
- isUnauthenticatedError returns true for 403 only when the response carries one of those codes
- Generic 403 and 429 stay out of the sign-out path
- Tests cover both directions

Packages affected:
- @clerk/shared: predicate + tests
- @clerk/clerk-js: behavior change via the shared predicate