Exchanges the single-use code from the merchant onboarding magic link for a Cognito JWT issued by the merchant user pool. The resulting access_token must be supplied as a Bearer token when calling GET /merchant-accounts/onboarding.

The code is invalidated immediately after use.

Merchant onboarding flow

1. Admin calls POST /merchant-accounts → Adyen provisions account → magic link email sent.
2. Merchant clicks link containing the code.
3. Merchant POST /merchant-accounts/session/token with the code → receives JWT.
4. Merchant GET /merchant-accounts/onboarding?debtorCode=... with JWT → receives KYC URL.