Anonymous users still need "Access AJAX API" permission

Despite the recent permission change, there's an additional check that causes "Access AJAX API" to still be necessary.

CRM_Core_Invoke::runItem() checks both the access callback and page callback. Your change only affects the page callback.

I see you're using stripe_civicrm_alterAPIPermissions() but that's API3 only - so that code isn't working at all. We need stripe_civicrm_alterApiRoutePermissions in this scenario.