api2: token: use userid-group as API perm check

api2: token: use userid-group as API perm check

the previous version using an ACL path of '/access/users/{userid}' was
broken for non-root users, since the '@' character always contained in a
userid is not allowed in ACL paths.

this effectively meant that creating API tokens only worked for:
- root@pam (ACL checks skipped altogether)
- users with User.Modify on '/' with propagation (the roles/privs for
  '/' are propagated to the undefined path in this case)
- users creating their own tokens (first branch of 'or')

the userid-group check is used for all other modifications of user
entities, so it can also be used for creating/modifying/removing API
tokens.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>