convert Authorized Fetch to a setting and add support for hybrid mode (essential metadata only)

.config/example.yml

@@ -369,8 +369,6 @@ signToActivityPubGet: true
 # When using authorized fetch, this is often undesired as any signed activity can be forwarded to a blocked instance by relays and other instances.
 # This setting allows admins to disable LD signatures for increased privacy, at the expense of fewer relayed activities and additional inbound fetch (GET) requests.
 attachLdSignatureForRelays: true
-# check that inbound ActivityPub GET requests are signed ("authorized fetch")
-checkActivityPubGetSignature: false
 
 # For security reasons, uploading attachments from the intranet is prohibited,
 # but exceptions can be made from the following settings. Default value is "undefined".