Have POST requests with device-flow token fail instead of providing limited results

If someone is using a POST request with a device-flow token, they probably want a failure if the token is invalid instead of limited public results.