Backend Admin API middleware to verify session token; add tenantId to context

The `backend` package's Apollo GraphQL server should expect a session token from Kratos in any request made to the GraphQL API, such as in the header.

Based on the `identity.id` for this session, and if it is an `operator` or not, it should return the relevant `tenantId` and add it to the context. Then, the GraphQL resolver should use that `tenantId` to filter the query/mutation results.