[BUG] --subdomain login fails with invalid_grant on non-US1 regions

[haru0017]

Describe the bug

pup auth login --subdomain <org> fails with invalid_grant for orgs on non-US1 regions.

pup constructs all URLs from a single site value. With --subdomain mycompany (site defaults to datadoghq.com), the authorization URL correctly becomes mycompany.datadoghq.com, but the token exchange goes to api.datadoghq.com instead of api.us3.datadoghq.com.

--site us3.datadoghq.com --subdomain mycompany doesn't help either as it constructs mycompany.us3.datadoghq.com.

To Reproduce

1. Run pup auth login --subdomain mycompany (org hosted on US3)
2. Browser opens https://mycompany.datadoghq.com/oauth2/v1/authorize?...
3. Authenticate successfully via SSO
4. Browser shows "Authentication Successful, Connected to Datadog (us3.datadoghq.com)"
5. CLI fails with invalid_grant

Expected behavior

Token exchange should be sent to api.us3.datadoghq.com (the actual region) instead of api.datadoghq.com.

Environment

• OS: macOS (Apple Silicon)
• Pup version: 0.65.0
• Authentication method: OAuth2

Command output

🔐 Starting OAuth2 login for site: datadoghq.com

🏢 Using SAML/SSO subdomain: mycompany.datadoghq.com
📡 Callback server started on: http://127.0.0.1:8000/oauth/callback
🔑 Requesting 85 scope(s) (use --scopes to customize)
✓ Using existing client registration

🌐 Opening browser for authentication...

⏳ Waiting for authorization...
🔄 Exchanging authorization code for tokens...
Error: token exchange failed (HTTP 400 Bad Request): {"errors": ["invalid_grant - Invalid authorization code or code verifier."]}

Additional context

Workaround: Run pup auth login --site us3.datadoghq.com, then manually replace us3.datadoghq.com with mycompany.datadoghq.com in the displayed auth URL before opening in browser. This confirms the token exchange works when sent to the correct endpoint.