For GraphQL requests, we call `authenticate_sessionless_user!(:api)` so
that we allow token authentication.

This fixes the check for the API URL because it was broken when the
GitLab instance is installed under a relative path.

When checking the path, we should account for the `relative_url_root`
setting.