Enforce access rules based on app context for all routes

- An incoming request should specify an app_id - add it to token
- A request associated with an app_id can only create, read, update, delete resources belonging to that app_id.