Check user status at the introspection endpoint

If a JWT subject contains the user's uuid (basically, it was not obtained with client credentials) and the user is suspended, the JWT should not be considered valid by IAM, i.e. a call to the introspection endpoint should return `valid: false`.