Sanity check PSBT before signing

[notmandatory]

"Wallet::sign, which could presumably be called with externally-provided PSBTs, calls update_psbt_with_descriptor which assumes multiple invariants on the PSBT. The PSBT is not sanity checked beforehand and would therefore make it possible to crash an application using the library and exposing a sign endpoint. The invariants are assumed in PsbtUtils::get_utxo_for's implementation for Psbt (called from update_psbt_with_descriptor): it assumes the inner tx has at least as many inputs as the PSBT and it assumes that the transaction provided in the PSBT input's non_witness_utxo field has does contain the output index referenced by the inner transaction."

"In the signer module, the previous transaction contained in a PSBT input is not validated against the outpoint for legacy and segwit v0 transactions. This is checked when creating a transaction, but this module may be used to sign a PSBT as an external participant."