Clean up market actor withdraw address handling

[anorth]

The built-in market actor has odd address checking logic for withdrawals, different from the miner actor.

• It only permits withdrawing to the miner owner (ignores beneficiary)
• It is only allows the owner or worker address to be the caller (ignores other control addresses)

Allowing only the worker address specifically prevents retiring the GetControlAddresses method from the miner, as desired by #816. So one concrete change to make is to change the behaviour to accept any control address, and this will be a pattern that other markets can follow.

For payout beneficiaries, maybe there's a design question here. Markets shouldn't have to know too much about how miner beneficiary/equity structure works. It would be nice to delegate decision about where payment goes to the miner actor, or something. Should we pay to the actor itself (then the user will need to withdraw again from there)? Or add a value-receiving method to the miner actor, which routes it out to current beneficiary? Or add a proxy method to the miner so that a message can be routed through it? Or use standard message authentication?