workbench: Reader tokens show collection files.
Fundamentally, this commit aims to support reader tokens when showing
a file from a Collection. Because this requires changing the token
handling generally, I also took this opportunity to improve error
reporting by checking the request's validity against the API server
before we pipe out to arv-get to render the file.
As a consequence, Workbench now returns a 404 if you request a file
using a token that does not have permission to read the collection.
Maybe this is not the best result, but previously it returned a 422,
so I think this counts as an improvement.