fix: Work around gRPC-Gateway bug in X-Forwarded-For handling

[haines]

This PR primarily aims to work around an issue with X-Forwarded-For handling in the gRPC-Gateway (grpc-ecosystem/grpc-gateway#4320).

Given a remote IP of 4.4.4.4 sending incoming headers of

X-Forwarded-For: 1.1.1.1, 2.2.2.2
X-Forwarded-For: 3.3.3.3

the resulting headers forwarded by the gRPC-gateway are

X-Forwarded-For: 1.1.1.1, 2.2.2.2
X-Forwarded-For: 3.3.3.3
X-Forwarded-For: 1.1.1.1, 2.2.2.2, 4.4.4.4

The workaround I have added means that the resulting headers are

X-Forwarded-For: 1.1.1.1, 2.2.2.2
X-Forwarded-For: 3.3.3.3
X-Forwarded-For: 4.4.4.4

We now join the values with ", " rather than "|" to preserve the de-facto standard syntax.

This PR also prevents spoofing the remote address in the audit logs by setting the x-cerbos-http-remote-addr header; currently we take that header into account even for requests not originating from the gRPC-Gateway where it should be set. Even in the case of requests from the gRPC-Gateway, our header is appended to the request headers, so we need to make sure to use the last value for the header, not the first.