AP: Don't serve Webfinger for accounts we don't own

[snarfed]

Right now, a bit embarrassingly, we serve Webfinger responses for any addresses that comes in, regardless of whether we actually own it. Example: /.well-known/webfinger?resource=acct:[email protected], which we oddly get ~1-2qps for, steady state, from a ton of different instances. We should return 404 (I assume?) instead for addresses we don't own.

[snarfed]

Ah right. This isn't quite as easy because of our support for web sites on arbitrary domains. We'd need to detect when a domain is an AP instance so that we know when to serve a 400 and not try to handle them as a normal web site.

[snarfed]

Manual workaround for now is to just opt out any problematic domains here.

[snarfed]

Related: #348