User feedback on request authorization and validation issues

On reCAPTCHA failure before:

And after:

Tech notes

Returning a raw response code 400 feels a bit uninformative/raw? Is there any reason why we shouldn't return normal API exceptions here?

If users just see 'error' they're going to be put off donating. We should try and make the feedback more informative.

Also related to: formprotection#18 (closed)