Return content data with no access right for default group "contentapiread"

Description

Steps to reproduce

Precondition: Keep default settings in the ConfigurationService class that RequiredRole & MinimumRoles settings are set to VirtualContentApiRole as "contentapiread".

1. Create a new group named WebAdmins or WebEditors or "contentapiread".
2. Create new user in the group.
3. Do not add virtual role mapping to the group.
4. Set access rights for a page (e.g.: Start): Read right for the "Everyone" virtual role, but no rights for the created user and group.
5. Create an access token for the user.
6. Send a request to get content:

{{EPCMSHost}}/api/episerver/v1.0/content/5

Expected:
Returns error code 403 Forbidden because RequiredRole is limited to "contentapiread" but not others.

Actual:
Returns code 200 with content data.