kcidbcheckout: add policy field requirement

If you leave the policy field as blank when creating a KCIDBCheckout, e.g. via the admin page, it will be in a weird state that it can not be found because the querysets are checking for NULL permissions. It's extremely difficult to correct this error, because you can't see the checkout to fix it :)

Add a custom form override and make the policy field required. This stops it being blank if you're using the admin page.

This is a conservative way to enforce this without changing the underlying model, so that I don't risk breaking any external loaders, etc.

Additionally, add the KCIDBOrigin model so that can be created via the admin site.

Fixes: #492 (closed)

[skip coverage check]