Improve security in TagController show/update/delete methods

[reichert621]

Problem
Right now any user with a valid auth token can retrieve any tag resource as long as they know the ID of the resource. We should return a 404 (Not found) error if someone tries to retrieve/update/delete a resource that does not have a matching account_id

Solution
In the show, update, and delete methods of the tag controller, let's add an authorize plug (middleware) to handle this.

Check out #639 for an example

Describe alternatives you've considered
We could also just include the account_id in the query when we fetch the resource 🤷

Testing
Please add/update tests to take these updates into account!

Questions, or need help getting started?
Feel free to ask below, or ping us on Slack :)

(You can also check out our CONTRIBUTING.md)

[a8t]

I can do this one too, assuming my other PR is approved.