Update migration guide

Author: tobias-tengler

website/src/docs/hotchocolate/v16/migrating/migrate-from-15-to-16.md

@@ -20,6 +20,24 @@ The `@skip` and `@include` directives are now disallowed on root subscription fi
 
 Deprecating a field now requires the implemented field in the interface to also be deprecated, as specified in the [draft specification](https://spec.graphql.org/draft/#sec-Objects.Type-Validation).
 
+## Accidental use of `Microsoft.AspNetCore.Authorization.*` attributes throws an error
+
+Since our authorization attributes (`[Authorize]` and `[AllowAnonymous]`) share the same names as the regular ASP.NET attributes, it's easy to accidentally use the wrong ones.
+In the worst-case scenario, this could result in your field or type ending up without any authorization being applied!
+
+To prevent this, we've added a check that throws an error during schema generation if it detects `Microsoft.AspNetCore.Authorization.*` attributes being applied to a GraphQL resolver.
+
+> Note: Keep in mind that your clients might currently rely on the absence of authorization.
+
+You can disable this new validation by setting the `ErrorOnAspNetCoreAuthorizationAttributes` option to `false`:
+
+```csharp
+builder.Services.AddGraphQLServer()
+    .ModifyOptions(options => {
+        options.ErrorOnAspNetCoreAuthorizationAttributes = false;
+    })
+```
+
 # Deprecations
 
 Things that will continue to function this release, but we encourage you to move away from.