[Feature/Extension] Add permission for access create OBO Token endpoint.

[RyanL1997]

Description
We should alter the update the CreateOnBehalfOfTokenAction which is a RestHandler to use NamedRoutes, which will enforce permissions before the API can be used, permission named to be determined, placeholder, security:user.createOnBehalfOfToken.

Current Design VS Goal
According to the current design (source code), users do not need any permission to access the OBO token creation endpoint: _plugin/_securitty/api/user/onbehalfof. The goal of this issue is to register a specific security permission for accessing this endpoint.

[stephen-crawford]

[Triage] To close this issue, we would need to implement the permission stated in the description in order to access the endpoint for the token creation. This should include unit tests showing that the endpoint required is restricted as expected. @RyanL1997 to add final points.