Make getState API unavailable for unauthorized machines

Following on Marcin's response, we need to tighten up getState API command. Here's the original issue:

1. start the demo
2. go to machines, show unauthorized
3. click on the machine name (I used agent-kea-ha2)
4. click on the get latest state

This scenario is no longer possible from the UI as Marcin blocked the GetState button, but it's still possible using API. There should be an API check that would fail if machine is not authorized.