Control access to an API based on the RequestHeader.
See StructuredAccessControl for a way to implement access control based on separated
authentication and authorization.
Note that access control based on the request body is not supported right now. Consider
construction your HeaderAccessControl (using body parameters as necessary) and invoking
runAndCheck in your API body.