xblock-external-ui: Add XBlock API call to render XBlock views

xblock-external-ui: Include CSRF token in the API answer
xblock-external-ui: Include full path when building local_url
xblock-external-ui: Fix TestHandleXBlockCallback & bok_choy, add tests
xblock-external-ui: Only return `instance` in `_invoke_xblock_handler()`
xblock-external-ui: Group resources by hash tag to avoid duplicate loads
xblock-external-ui: PEP8
xblock-external-ui: Fail early if the XBlock view is called anonymously

    We used to serve anonymous requests, but most XBlocks assume that the
    user is logged in, which can generate a lot of errors when the user is
    accessed or when an XBlock ajax callback is queried. Fail early to only
    get one error per page load, and prevent displaying the XBlock
    altogether when the LMS doesn't find an active user session.

xblock-external-ui: Add request params in view render context
xblock-external-ui: HTTP error status when file is too large for handler
xblock-external-ui: Fix unicode encodings in XBlock rendering
xblock-external-ui: Feature flag for API call ENABLE_XBLOCK_VIEW_ENDPOINT