Move to single instance of TiledClient created at startup

[DiamondJoseph]

In this change, we moved the TiledWriter from being a single instance created at startup to being created per-Task run, this is to enable the headers to be injected before making a request to the root node of tiled, as otherwise the authorization check fails as there is no principal token.

If Tiled allow_anonymous_access allows access to the root node, but filters out all child nodes (i.e. access_policy.filters() with no Principal returns NO_ACCESS), we can restore previous behaviour of a single TiledClient

Acceptance Criteria

• Specific criteria that will be used to judge if the issue is fixed