ch-image: some registries return 401 when rejecting anon token requests

On line 1017 of charliecloud.py, in authenticate_bearer(), we check for status code 403 to see if the anonymous token request was rejected. It turns out that some registries return 401, so accept that too.