Sign out a user

Invalidates the user's current session and refresh token. Requires a valid access token in the Authorization header.