This ensures that deactivated users (and other users who fail the
`api_access` check, such as blocked users, or users who haven't accepted
terms of service) get a forbidden response from the GraphQL API
endpoint.

Changelog: security