Add guidelines about including tokens in badge URLs (#5522)

* Add guidelines about including tokens in badge URLs

* Tweak wording

Co-authored-by: Caleb Cartwright <calebcartwright@users.noreply.github.com>

Co-authored-by: Caleb Cartwright <calebcartwright@users.noreply.github.com>

CONTRIBUTING.md

@@ -107,6 +107,9 @@ There are three places to get help:
 - Badges should not obtain data by scraping web pages - these are likely to break frequently.
   Whereas API publishers are incentivised to maintain a stable platform for their users,
   authors of web pages have no such incentive.
+- Badges may require users to specify a token in the badge URL as long it is scoped only to
+  fetching information and doesn't expose any sensitive information. Generating a token with the
+  correct scope must be clearly documented.
 
 ## Badge URLs