refactor: add DomainError::Forbidden + centralize error-to-HTTP mapping

Ownership checks (delete_review, confirm/dismiss watch events) now
return Forbidden instead of Unauthorized. Presentation layer maps
DomainError→StatusCode via domain_error_response helper, replacing
verbose per-handler match arms.

crates/application/src/integrations/confirm.rs

@@ -25,7 +25,7 @@ pub async fn execute(ctx: &AppContext, cmd: ConfirmWatchEventsCommand) -> Result
             .ok_or_else(|| DomainError::NotFound(format!("WatchEvent {}", c.watch_event_id)))?;
 
         if event.user_id() != &user_id {
-            return Err(DomainError::Unauthorized("not your watch event".into()));
+            return Err(DomainError::Forbidden("not your watch event".into()));
         }
 
         let input = if let Some(movie_id) = event.movie_id() {

crates/application/src/integrations/dismiss.rs

@@ -27,7 +27,7 @@ pub async fn execute(ctx: &AppContext, cmd: DismissWatchEventsCommand) -> Result
     }
     for event in &events {
         if event.user_id() != &user_id {
-            return Err(DomainError::Unauthorized("not your watch event".into()));
+            return Err(DomainError::Forbidden("not your watch event".into()));
         }
     }