Improve signature verification

[jgaskins]

Right now, signature verification only checks that the signature provided in the request headers is correct based on the public key URL provided in the body of the request. It currently makes no effort to verify that the actor should be able to perform the action.

For example, we don't verify that the public key belongs to the user. I'm not 100% sure I know how to accomplish that yet, but I'm assuming it's something like "the key URL should be similar to the account's id".