Move request sanitization and upload disallowed out of file_upload

[dstufft]

This is extracting a (small) piece of https://github.com/pypi/warehouse/pull/14716 out into it's own PR, with the overarching goal of making the file_upload endpoint easier to read and reason about what's happening.

There's no real functionality change here (except we move request sanitizing to happen prior to the read only checks, which was done primarily because while the current sanitizers and the current checks are wholly independent of each other, that might not always be the case, so we sanitize first.

Beyond that, all this means is that when reading the file_upload method, it's easier to gloss over these checks, as they're just decorators instead of being part of the method body.

This also means that the tests that test this functionality no longer need to do heavy weight things like setup databases and make DB queries, making our tests just a little bit faster.