Create access token for inactive/locked user

Description

Steps to reproduce:

1. Create User1 as an inactive user (The Active checkbox is unchecked).
2. Create User2 as an active user, then make it locked (login with the wrong password 3 times).
3. Post an API request to create an access token for User1 or User2 above:

EPCMSHost/api/episerver/auth/token
grant_type = password

Expected:
Returns a response code 401 Unauthorized with an informative error message.

Actual:
Creates access token successfully.

Note: Locked status is often temporary. Thus, it may be acceptable for creating a token. But Inactive status may be forever. So, it should be disallowed for authorization.