Clarify that submit_url is without authentication

The request is authorized by its parameters, not by an additional access token.

Fixes https://github.com/matrix-org/matrix-doc/issues/2298

api/client-server/administrative_contact.yaml

@@ -157,9 +157,10 @@ paths:
                     An optional field containing a URL where the client must
                     submit the validation token to, with identical parameters
                     to the Identity Service API's ``POST
-                    /validate/email/submitToken`` endpoint. The homeserver must
+                    /validate/email/submitToken`` endpoint (without the requirement
-                    send this token to the user (if applicable), who should
+                    for an access token). The homeserver must send this token to the
-                    then be prompted to provide it to the client.
+                    user (if applicable), who should then be prompted to provide it
+                    to the client.
 
                     If this field is not present, the client can assume that
                     verification will happen without the client's involvement

api/client-server/definitions/request_token_response.yaml

@@ -25,9 +25,9 @@ properties:
     description: |-
       An optional field containing a URL where the client must submit the
       validation token to, with identical parameters to the Identity Service
-      API's ``POST /validate/email/submitToken`` endpoint. The homeserver must
+      API's ``POST /validate/email/submitToken`` endpoint (without the requirement
-      send this token to the user (if applicable), who should then be
+      for an access token). The homeserver must send this token to the user (if
-      prompted to provide it to the client.
+      applicable), who should then be prompted to provide it to the client.
 
       If this field is not present, the client can assume that verification
       will happen without the client's involvement provided the homeserver