Handle invalid inputs consistently with respect to constant-time

[jonasnick]

Right now, we have two different ways of handling invalid inputs in constant-time functions:

1. The function is constant-time, even for invalid inputs. For example, secp256k1_schnorrsig_sign_internal continues with the signing procedure even if keypair_load fails (which happens when the keypair is unitialized):

   ret &= secp256k1_keypair_load(ctx, &sk, &pk, keypair);
   ...
   return ret;
   

   This works because even if secp256k1_keypair_load fails, valid values (sk=1, pk=G) are returned.
2. The function is constant-time only for valid inputs. For example, in secp256k1_musig_partial_sign, we have

   if (!secp256k1_keypair_load(ctx, &sk, &keypair_pk, keypair)) {
       secp256k1_musig_partial_sign_clear(&sk, k);
       return 0;
   }
   

   This works because the return value of keypair_load is declassified.

I think we should make functions only constant-time with respect to valid inputs. This leads to more readable and maintainable code (due to fewer ret &=). Calling functions with invalid inputs (such as an unitialized keypair) should never happen outside of development.

Whatever version we're choosing, we should document it in CONTRIBUTING.md.