Try to separete the two apsects of your coude. One is the business, and
one is the security.
Bind the authentication token to the HTTP request, the decorator will
take the token from there. If the authentication fail, throw an
exception, that can you handle in the web layer, and you can show some
friendly message to the user.
Incoming HTTP request -> some sort of filter bind the auth token to the
request, then delegates the call to the application -> controller do
it's business, and eventually call the use case -> the security
decorator takes the auth token from the HTTP request, and do the
neccesary cheks. If everthing ok, delegates the call to the UC, if not,
throw a security exception.
If you afraid of depending directly to the HTTP request, then you can
create a AuthTokenHoler interface, and use that. And in a configuration,
or during the bootstrap, you can create an object that implement the
interface using the HTTP request, or the session.