Validate `access_api` permission in the GraphqlController
We currently don’t validate if a user has access to the API using the DeclarativePolicy framework.
We should add that validation that a user can?(current_user, :access_api)
and render a 403 if they can’t.