Currently security token policies can restrict several aspects of API requests, such as node IDs, source IDs, aggregation levels, and so on. It would also be useful to restrict access to API methods themselves. For example, it might be useful for a user token to be authorized to call various /instr/** methods but nothing else.

To support that, add the ability to define "API paths" within a security policy. This could be a list of URL path strings, and should support Ant-style wildcards like other paths used in the SN API. Then, enhance the security authorization layer to enforce the paths. Then, add the ability in the SolarUser app to configure the paths when creating a security token.