Overriding the API URL in the client is fragile

If we set a `data-consent-api-url` attribute on any element in the DOM, it will be used to override the URL that the client JS uses for API queries. This is useful for running in different environments.

There is no defensive coding around the use of the data attribute value. This should be considered user input and treated carefully.
