Inconsistent handle-command validation messages

[aatkin]

Command handlers can return misleading error messages when user does not have permission.

E.g. with :member role, API call to command :application.command/submit can return "licenses not accepted" or form validation error before forbidden error. This leaks information from the application to user who does not have permission. It is also weird logic that command handler is executed before user permission.

Test what the UX / behavior of API is when an applicant creates a draft, then a member tries to submit it. Also test what happens when unrelated user tries to submit it it. Does it make sense?