Ensure that the gateway is trusted for the target

[tfpauly]

We need to ensure that an attacker can't put an illegitimate gateway in for a service.

This likely has the form that:

• The target and gateway need to be colocated / share the same TLS certificate
• The config/gateway likely needs to be well-known

[tfpauly]

I think the goals are:

• Solution must link the target and gateway
  • Same hostname is OK, so you know that the certificate is covered
  • It's possible that SVCB points to different sets of addresses that support non-OHTTP target instances from OHTTP gateway+target instances. To support such cases, the relay likely SHOULD do the same SVCB query to find the gateway instance.
• Must not be able to split off separate paths that are controllable by someone else behind the server
  • Control over well-known for at least the config is needed