The best place to check ownership of the model

[ghost]

I have a model

 public class Customer
    {
        public int Id { get; set; }
        public string FullName { get; set; }
        public string Phone { get; set; }
        public string Email { get; set; }
        public string Comment { get; set; }
        public string Locale { get; set; }
        public DateTime Created { get; set; }
        public int AccountId { get; set; }
        public virtual Account Account { get; set; }
    }

I saved AccountId as user claim and i can get it in Application Layer

public interface ICurrentUserService
    {
        string GetUserId();
        int GetAccountId();
    }

I have a command that the user sends

public class UpdateCustomerCommand : IRequest<CustomerDto>
    {
        public int Id { get; set; }
        public string FullName { get; set; }
        public string Phone { get; set; }
        public string Email { get; set; }
        public string Comment { get; set; }
        public string Locale { get; set; }
    }

Before saving I need to verify that the Customer belongs to the user with the specified Account Id.

Question: On what layer is it better to check the ownership of the model?

I have this variants:

1. In controller. Implement IAuthorizationHandler, and checks ownership before send command
2. Implement IRequestPreProcessor and check it before send command.
3. Check in command

What do you think about it. Where we need check ownership of the model?

Thanks!

[Mat2001mat]

Taking this a step further... if you have ASP Identity managing your user base and you want to associate those users with things like companies and perhaps other entities. Should that all be part of the Asp Tables, or should they be separate and inside the application? If so, how do you map those relationships, as the application can't depend on the infrastructure etc.