ext_authz: fix docs for `status_on_error` (#24778)

Fixes #24748

Risk Level: Very low
Testing: docs only change

Signed-off-by: Greg Greenway <ggreenway@apple.com>

Mirrored from https://github.com/envoyproxy/envoy @ bfa849bc598870033dbbc11ae17c9abb273e19e5

envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -80,8 +80,8 @@ message ExtAuthz {
   //
   bool clear_route_cache = 6;
 
-  // Sets the HTTP status that is returned to the client when there is a network error between the
+  // Sets the HTTP status that is returned to the client when the authorization server returns an error
-  // filter and the authorization server. The default status is HTTP 403 Forbidden.
+  // or cannot be reached. The default status is HTTP 403 Forbidden.
   type.v3.HttpStatus status_on_error = 7;
 
   // Specifies a list of metadata namespaces whose values, if present, will be passed to the
@@ -125,6 +125,10 @@ message ExtAuthz {
   // typed_per_filter_config for the path, requests will not be denied.
   //
   // If this field is not specified, all requests will be allowed when disabled.
+  //
+  // If a request is denied due to this setting, the response code in :ref:`status_on_error
+  // <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.status_on_error>` will
+  // be returned.
   config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;
 
   // Specifies if the peer certificate is sent to the external service.