demo: alternative to middleware and the access package

[dnephin]

Update: many of the changes from the original draft were merged as part of #3103

This PR is a demonstration / proof-of-concept, that shows a different approach to our API authorization. I am not looking to merge this any time soon. I am opening this to demonstrate an approach that I've mentioned a few times in a number of discussions. This PR should only act as a demonstration of the possible approach. It will need more work before it's anywhere close to mergeable.

By moving authorization checks to be immediately after authn in the request flow can allow us to remove the access package without losing the benefits that the access package is supposed to provide. By checking permissions at the data layer (where the operation is actually being performed) we end up with better safeguards than the access package can provide, while also fixing the problems we have now (misleading error message, and unnecessary application layers that cause confusion and slow us down).