Allow access to metadata to be restricted via policies

[jokraehe]

The current implementation doesn't support policy enforcement. Only the thing's policy is taken into account when metadata is retrieve via HTTP API and the field selector "_metadata". https://github.com/eclipse/ditto/pull/1402 introduces extended access via (put|get|delete)-metadata which all do not respect policy access rights. Therefor any user with some access right on any part of a thing could e.g. query all metadata of the thing with the get-metadata header.