Poll endpoint should require authorization

[FragLegs]

The second recommendation from the final security audit:

As we note in Section 2.6, poll endpoint URLs
are not required to be secret, i.e., SETs could be requested by any party. For use cases requiring
confidentiality of SETs, we recommend mandating authorization at the poll endpoint.

[jischr]

@FragLegs having trouble finding this one... can you send the spec text section link...?

[FragLegs]

In section 7.1.1 we discuss how the authorization schemes (if present) apply. I think adding the polling endpoint here would make sense. Maybe something like this?

The authorization scheme section of the metadata provides discovery information related to the
Transmitter's stream management APIs. The authorization scheme SHOULD also be used to
protect any polling endpoint hosted by the Transmitter.

(the new text there is the second sentence)