Fix critical authentication bypass vulnerability in inbox handler

This fixes a severe security vulnerability where activities were processed
before verifying that the HTTP signature key belonged to the claimed actor,
allowing attackers to impersonate any ActivityPub user.

The fix moves the authentication check (doesActorOwnKey) to occur before
calling routeActivity(), ensuring that malicious activities with mismatched
signatures are rejected before any processing occurs.

A comprehensive test case has been added to verify the fix and prevent
regression of this critical security issue.

https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4