Harden backup security: password confirmation, CSRF, env toggle

Address security review feedback from jbtronics:

- Add IS_AUTHENTICATED_FULLY to all sensitive endpoints (create/delete
  backup, delete log, download backup, start update, restore)
- Change backup download from GET to POST with CSRF token
- Require password confirmation before downloading backups (backups
  contain sensitive data like password hashes and secrets)
- Add DISABLE_BACKUP_DOWNLOAD env var (default: disabled) to control
  whether backup downloads are allowed
- Add password confirmation modal with security warning in template
- Add comprehensive tests: auth checks, env var blocking, POST-only
  enforcement, status/progress endpoint auth

translations/messages.en.xlf

@@ -12563,6 +12563,24 @@ Buerklin-API Authentication server:
         <target>Download backup</target>
       </segment>
     </unit>
+    <unit id="um_bk_download_pw" name="update_manager.backup.download.password_label">
+      <segment state="translated">
+        <source>update_manager.backup.download.password_label</source>
+        <target>Confirm your password to download</target>
+      </segment>
+    </unit>
+    <unit id="um_bk_download_warn" name="update_manager.backup.download.security_warning">
+      <segment state="translated">
+        <source>update_manager.backup.download.security_warning</source>
+        <target>Backups contain sensitive data including password hashes and secrets. Please confirm your password to proceed with the download.</target>
+      </segment>
+    </unit>
+    <unit id="um_bk_download_invalid_pw" name="update_manager.backup.download.invalid_password">
+      <segment state="translated">
+        <source>update_manager.backup.download.invalid_password</source>
+        <target>Invalid password. Backup download denied.</target>
+      </segment>
+    </unit>
     <unit id="um_bk_docker_warning" name="update_manager.backup.docker_warning">
       <segment state="translated">
         <source>update_manager.backup.docker_warning</source>