Subscribe denials with org switcher

Two organizations, one identity cookie. Each org's audit log lives on its own topic; subscribes from the wrong org return FORBIDDEN at the wire layer, before any data reaches the client.