Workflow queries:run access for site_clients

[shreddd]

In this branch, I enabled access for approved workflow site clients to make updates via the /queries:run endpoint, if they are authorized in the _runtime.api.allow collection in Mongo

Details

If a user comes in via an access token for a workflow client (prefix client: in the sub: field of JWT) they were previously denied access to the /queries:run endpoint. This is a blocker for https://github.com/microbiomedata/nmdc_automation/issues/280

Moving forward we want to migrate workflow client functionality into the standard "User" model so this is a step in that direction

Related issue(s)

Fixes issue #776

Related subsystem(s)

• [X] Runtime API (except the Minter)
• [ ] Minter
• [ ] Dagster
• [ ] Project documentation (in the docs directory)
• [ ] MongoDB migrations
• [ ] Other

Testing

• [X] I tested these changes (explain below)
• [ ] I did not test these changes

I tested these changes by adding tests to test_endpoints.py

Documentation

NA

Maintainability

TBD

• [ ] Every Python function I defined includes a docstring (test functions are exempt from this)
• [ ] Every Python function parameter I introduced includes a type hint (e.g. study_id: str)
• [ ] All "to do" or "fix me" Python comments I added begin with either # TODO or # FIXME
• [x] I used black to format all the Python files I created/modified
• [x] The PR title is in the imperative mood (e.g. "Do X") and not the declarative mood (e.g. "Does X" or "Did X")