Give workers a different token for each work request

Adapted from @cjwatson on IRC:

Ideally a worker should only be able to do stuff within the scope of the work request it's working on.

The worker token we have now can be changed to just allow interaction with the scheduler to get new work requests.

Together with the work request, debusine can then give the worker a one-off token that is only valid only for as long as the work request is running and assigned to the worker, and which gives access only relevant to the work request.

• note that API views will probably need some attention: #523 (comment 557350)
• Look for annotations of #523 in the codebase, some hacks were added around this.