AS: PolicyEngine should differentiate user and internal errors

[mkulke]

At the moment we conflate user errors (policy fails to pass, requested policy does not exist) with internal errors (io errors). Signatures and code of those functions should be adapted, so that grpc/http api layers can produce different error codes instead of returning an "internal error" in all cases.

prior discussion