AbstractItemNormalizer's relation IRI denormalization loaded the
resource without checking it matched the declared relation class,
since it never passed an operation to IriConverter::getResourceFromIri.
A writable relation declared as `Foo` with no PHP type hint (legacy
`@var`-only style) silently accepted a `/bars/1` IRI and Symfony's
PropertyAccessor could not block it — CWE-843 type confusion.

Add an is_a guard at both inline call sites so a mismatched IRI throws
InvalidArgumentException, mirroring the IriConverter operation check.

GHSA-9rjg-x2p2-h68h