vcl_cookies: use common pass_auth in mobile
This aligns with how text handles these cases. It assumes we get
Vary on Cookie for mobile responses (we do) for hit-for-pass in
place of the raw pass on important Cookies, and switches the
Authorization pass to only care about OAuth.