Part of the work for preparing for non-COVID research.

Before a job runs a query against a restricted dataset, check that the project has permission to access that dataset. This work depends on a job-runner issue which will add the project's permissions to the agent.

It also depends on the refactoring in #2513, which will change the ehrQL dataset code.

This is a replacement for the existing repo permissions stored in the CLI. Those permissions only generated warnings, but these will be used to restrict access to specific datasets in the backend.

Which datasets?

For now, add the same restrictions that are defined in the CLI. We may need to update them later.