Check NATS subject when receiving messages

[paulgb]

We currently generate NATS subjects from message contents, but we don't verify that a message was received at the appropriate subject, so a connected client with access to publish on cluster.foo_bar.* can publish a message about the fizz_boom cluster instead of the foo_bar cluster and it is not checked. This is fine in the current situation where there is only one tenant, but will become necessary when we implement #124.

This will not be useful on all subjects until #145 ensures that all subjects include the cluster, since the cluster is level of isolation we want.

Rather than try to parse the subject, we can just generate the subject upon receiving a message and do a string comparison. This works because subjects are deterministically generated from messages.