Add admin request security measure until 2FA becomes available

[Jumpy-Squirrel]

Right now, requests with admin rights can only come from reg-regsys-classic, that is, from the space behind the Apache reverse proxy.

This presents an opportunity to protect against admin requests coming in over the API, until 2FA becomes available:

Requests should only count as "admin" in IdentityManager, if in addition to having a token with the admin group, they also come with Header "X-Admin-Request" = "available". This header will be blocked in the Apache reverse proxy, just like the "X-Api-Token" header already is.

This is the respective implementation in reg-attendee-service.

// checkInternalAdminRequestHeader is a temporary safety measure until we have 2FA for admins.
//
// enforce extra internal request header for admin requests (header blocked for external requests)
//
// TODO: remove this workaround
func checkInternalAdminRequestHeaderForGroup(ctx context.Context, r *http.Request, group string) bool {
	if group == config.OidcAdminGroup() {
		adminRequestHeaderValue := r.Header.Get("X-Admin-Request")
		if adminRequestHeaderValue != "available" {
			aulogging.Logger.Ctx(ctx).Warn().Print("X-Admin-Request header was not set correctly!")
			return false
		}
	}
	return true
}

Should also be added to payment service, clearly marked as TODO to remove again when 2FA is here.