Clarify how homeservers are meant to auth themselves to appservices

Fixes https://github.com/matrix-org/matrix-doc/issues/1765

Note that the swagger definitions already say that authorization is required. It just wasn't mentioned in the spec.

changelogs/application_service/newsfragments/2037.clarification

@@ -0,0 +1 @@
+Add missing definition for how appservices verify requests came from a homeserver.

specification/application_service_api.rst

@@ -187,6 +187,14 @@ An example registration file for an IRC-bridging application service is below:
 Homeserver -> Application Service API
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+Authorization
++++++++++++++
+
+Homeservers MUST include a query parameter named ``access_token`` containing the
+``hs_token`` from the application service's registration when making requests to
+the application service. Application services MUST verify the provided ``access_token``
+matches their known ``hs_token``, failing the request with a ``M_FORBIDDEN`` error.
+
 Legacy routes
 +++++++++++++