fix: Security: Implement Rate Limiting for Payment Endpoints

[Kaycee276]

Summary

Added slowapi-based rate limiting for payment endpoints.

• New app/core/rate_limit.py module centralising the Limiter instance. It keys by authenticated user id (falling back to Authorization header or client IP) and exposes configurable limit strings via environment variables (RATE_LIMIT_PAYMENT_PREPARE, RATE_LIMIT_PAYMENT_SUBMIT, RATE_LIMIT_PAYMENT_SUBMIT_FAILED, RATE_LIMIT_PAYMENT_RELEASE, RATE_LIMIT_PAYMENT_REFUND) with sensible defaults (10/min for prepare/release/refund, 5/min for submit, 3/min for failed submits).
• Wired the limiter into app/main.py: registered on app.state, added the SlowAPIMiddleware, and installed the RateLimitExceeded exception handler so clients get a proper 429 response.
• Decorated /prepare, /submit, /release, and /refund in app/api/v1/endpoints/payments.py with @limiter.limit(...). Added a stricter secondary bucket for /submit that only consumes quota when a submission fails (invalid XDR, unknown booking, unauthorized caller, or backend error), and _check_failed_submit_quota rejects further submissions with a 429 once that bucket is exhausted — blunting booking_id brute-force and Stellar-network spam attempts without penalising legitimate users.
• Added slowapi==0.1.9 to backend/requirements.txt.

---

closes #199

[gabito1451]

@Kaycee276 PLEASE RESOLVE CONFLICTS