Prohibit using disjoint signatures to cover the auth tree. (#942)

This makes it so require auth calls like A->B can't succeed if signatures for A and B are passed separately. This is achieved via requiring all the authorized calls to belong to some active root higher up the tree (if any).

It is still possible to have multiple disjoint trees on behalf of the same address, but they must have their roots at the same call tree level.