Validate `access_api` permission in the GraphqlController

We currently don’t validate if a user has access to the API using the DeclarativePolicy framework. We should add that validation that a user can?(current_user, :access_api) and render a 403 if they can’t.