Prevent create personal snippet through API as external user

It was brought to my attention that external users can create personal snippets through the API. This should not be the case. The alert was raised on !21718 (comment 285038445)

I worked on a related issue #14330 (closed) where I assumed personal snippet API requests were passed through permission checks. This is not the case, and my work to amend the snippet policies did not affect personal snippet API requests.

I have created a failing spec to verify that there is an issue.