This has been previously discussed, and 404 is the preferred status code for an invalid subject token, which must be distinguished from an invalid X-Auth-Token. An invalid/revoked/expired X-Subject-Token CANNOT be "considered similar to providing incorrect username or password" -- the requestor is authenticated by the X-Auth-Token, not by the X-Subject-Token. I don't think there's any room to change status codes here.
This has been previously discussed, and 404 is the preferred status code for an invalid subject token, which must be distinguished from an invalid X-Auth-Token. An invalid/ revoked/ expired X-Subject-Token CANNOT be "considered similar to providing incorrect username or password" -- the requestor is authenticated by the X-Auth-Token, not by the X-Subject-Token. I don't think there's any room to change status codes here.