Authorize application user to hit submissions endpoint

[jalbinson]

User Story

We want to tie together the pieces to authorize an sender

Risks/Impacts/Considerations

We do not want any sender to submit reports as another organization

Dev Notes

• Use preauthorize annotation to check for sender scope in submissions endpoint
• Read in custom header via shared JWT code done in #16153
  • Add public key to submissions configuration to be able to verify signature
• Make sure application user contains correct groups to submit report

Acceptance Criteria

• Requests are authenticated and authorized
  • Both scope and groups are checked
• unit tests