Make BiometricService check for internal permission

Previously, some paths through BiometricService needed to be accessible
by apps. Now that external calls are routed through AuthService instead,
we can check for the system-only USE_BIOMETRIC_INTERNAL permission
everywhere that we had been checking for USE_BIOMETRIC in
BiometricService.

In order for this to be enforced properly, we also need to move some
of the permission checks that were previously in BiometricService to
AuthService, which is now the primary entry point for applications
invoking the relevant biometric APIs.

Test: com.android.server.biometrics
Test: Manually verified functionality using support biometric demo app

Bug: 148971767
Change-Id: Ieab61276c6375b0d674f73e1833edabc8700fe74