Witness API makes it hard to comply with C2SP spec

[AlCutter]

Description

Since the internal witness API predates the C2SP tlog-tiles spec, there are some slight "impedance mismatches" between them which makes it hard to have the bastion feeder operate within spec in certain situations.

The main case I'm aware of is related to logs sending and oldCP value which does not match the witness' latest cosigned checkpoint for that log, but we also return an incorrect HTTP status code for mismatched roots. The upshot is that logs which are confused cannot use the mechanism described by the spec to recover.

The use of status codes in errors to hint at what the problem is makes it hard to distinguish cases which require different handling according to the spec.