Enhance setuid TCF

[bretg]

While refactoring cookie-sync as defined in #2173 , we discovered that the original TCF2 requirements for /setuid could use strengthening. At least in PBS-Java, the setuid endpoint was implemented according to the PBS requirement 16.1 in Prebid Support for Enforcing TCF 2. -- that requirement mentioned only checking the host company ID and not the bidder's Purpose 1 permission. I've updated 16.1.b with the bolded text:

Before setting a cookie on /setuid, verify consent for both the Host Company's GVL ID and the cookie-family's bidder GVL ID as appropriate for the enforcement method. If consent is not granted for either, log a metric and skip it.

This is not a high priority because the /cookie_sync endpoint checks P1 permission for the GVL of the bidder before returning the sync url, so there's no way in production that a bidder without consent would be hitting /setuid. We found this in testing with manually generated URLs.

[bretg]

Added a (somewhat obvious) statement to 16.1

If a bid adapter/cookie-family doesn't have a GVL ID, it cannot have consent.

[bretg]

Done in PBS-Java 3.18