Prepare a query for OTP sign in.

This preparation:

1. Filters the query by the identity field.
2. After the query, computes the deterministic JTI from the submitted OTP code.
3. Looks up the stored OTP token by JTI with a SELECT FOR UPDATE lock to prevent concurrent requests consuming the same code.
4. If found and valid, optionally revokes it (single-use), generates an auth JWT, and returns the user with the token in metadata. Otherwise returns an AuthenticationFailed error so the audit log records the attempt as a failure.