JSON:API supports POST and PATCH for config entity types that are fully validatable

Background

In previous Drupal versions it was possible to GET config entities via JSON:API, but POSTing + PATCHing was disabled, because config entities did not yet have support for validation.

Modifying config entities without validation was not dangerous for security reasons (access checking for those operations works fine — so malicious activity is not possible). It was dangerous for site integrity/reliability reasons: invalid configuration can result in a broken site. Therefore the JSON:API module didn't allow to modify config entities.
(This problem does not exist when modifying config entities via the administrative user interface, because the necessary validation logic lives in the code behind the forms.)

Thanks to #1928868: Typed config incorrectly implements Typed Data interfaces + #3324150: Add validation constraints to config_entity.dependencies + #3364109: Configuration schema & required values: add test coverage for `nullable: true` validation support, config entities can now be validated: it added the necessary infrastructure. Check #2869792: [meta] Add constraints to all config entity types for a complete overview of all core config entity types that are currently supported.

Not every config entity type supports validation yet!

The next step is to add the necessary validation constraints for every config entity type, see #2869792: [meta] Add constraints to all config entity types. Please help out!

API additions

Ability to specify constraints for config schemas, including config schemas of config entity types (#1928868: Typed config incorrectly implements Typed Data interfaces)

For example if you have this today:

node.type.*:
  type: config_entity
  label: 'Content type'
  mapping:
    name:
      type: label
      label: 'Name'
    type:
      type: machine_name
      label: 'Machine-readable name'
    description:
      type: text
      label: 'Description'
      nullable: true
    preview_mode:
      type: integer
      label: 'Preview before submitting'
    display_submitted:
      type: boolean
      label: 'Display setting for author and date Submitted by post information'

you can expand it to:

node.type.*:
  type: config_entity
  label: 'Content type'
  constraints:
    FullyValidatable: ~
  mapping:
    name:
      type: label
      label: 'Name'
    type:
      type: machine_name
      label: 'Machine-readable name'
      constraints:
        # Node type machine names are specifically limited to 32 characters.
        # @see \Drupal\node\NodeTypeForm::form()
        Length:
          max: 32
    description:
      type: text
      label: 'Description'
      nullable: true
      constraints:
        NotBlank:
          allowNull: true
    preview_mode:
      type: integer
      label: 'Preview before submitting'
      constraints:
        # These are the values of the DRUPAL_DISABLED, DRUPAL_OPTIONAL, and
        # DRUPAL_REQUIRED constants.
        # @see \Drupal\node\NodeTypeForm::form()
        Choice: [0, 1, 2]
    display_submitted:
      type: boolean
      label: 'Display setting for author and date Submitted by post information'

It's that top-level FullyValidatable: ~ constraint (the tilde means no options are specified for this constraint) that indicates that this config entity type is fully validatable

Adding REST POST/PATCH support for your config entity type

See the example above, plus the issues linked from #2869792: [meta] Add constraints to all config entity types for examples. Also pay attention to the access control logic for your config entity type! Especially if you have more complex access logic than just the admin_permission that config entity types have.