enable API protection in serverless

[TinaHeiligers]

replaces #162149 See note below

fix #162117
restrictInternalApis set to true enforces the restriction to internal API's. The restriction is only enabled in serverless.

What this means to plugin authors and stack components :

Access to internal Kibana HTTP API endpoints is restricted in serverless and calls to these endpoints will respond with 400 when the request doesn't include an x-elastic-internal-product header.

The header is automatically included when using core's browser-side HTTP service (e.g. core.http.fetch('....'))

where the restriction is not applied:

• Public APIs do not have the restriction. Any request made to an endpoint defined as access: public remains open.
• The restriction is not enabled in our current offerings.

For more details, see #152404

How to test this:

Against a dev:

• Pull this PR
• Run the tests in x-pack/test_serverless in each solution for api_integration and functional tests.
  For example:
  node scripts/functional_tests_server --config test_serverless/api_integration/test_suites/<solution>/config.ts
  (new terminal) node scripts/functional_test_runner --config test_serverless/api_integration/test_suites/<solution>/config.ts

Repeat the process against a real serverless project. Ping Kibana Core for details.

Checklist

• Documentation was added for features that require explanation or tutorials (internal documentation only. Docs team: There's nothing for you to do here yet)
• Unit or functional tests were updated or added to match the most common scenarios

Risk

Risk	Probability	Severity	Mitigation/Notes
The restriction is knowingly bypassed by end-users adding the required header to use internal APIs	Low	High	Serverless: Kibana's internal APIs are not publically documented. If we do see violations, we tell the user to stop. Current offerings: internal public documentation on internal APIs must have the experimental warning and clearly state that internal APIs are subject to frequent changes
Upstream services don't include the header and requests to internal APIs fail	Medium	Medium	The Core team needs to ensure intra-stack components are updated too

For maintainers

• This was checked for breaking API changes and was labeled appropriately

Why a new branch?

@elastic/kibana-core
Changes aren't allowed to patches unless made directly from upstream.
Handling failing tests were safer in a proper branch

[TinaHeiligers]

Duplicate changes in #162636. Closing this one.

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: 9c3bb2e

Metrics [docs]

✅ unchanged

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream