Federation: Backlinks Authentication

Currently the backlinks permissions are set to AllowAny. This means that a malicious user can inject data onto my server simply by posting to my inbox

The original suggestion on this issue was to do server-to-server authentication using server keys. Later it was discussed that sending the user as the actor of the activity (and authenticating them) might be better