Fix: Prevent cancellation of past appointments

Add check to both user and admin cancel endpoints to reject
cancellation of appointments whose slot_start is in the past.
This matches the spec requirement that cancellations can only
happen 'before the appointment'.

Added tests for both user and admin cancel endpoints.

Also includes frontend styling updates.

backend/routes/booking.py

@@ -266,6 +266,13 @@ async def cancel_my_appointment(
             detail=f"Cannot cancel appointment with status '{appointment.status.value}'"
         )
     
+    # Check if appointment is in the past
+    if appointment.slot_start <= datetime.now(timezone.utc):
+        raise HTTPException(
+            status_code=400,
+            detail="Cannot cancel a past appointment"
+        )
+    
     # Cancel the appointment
     appointment.status = AppointmentStatus.CANCELLED_BY_USER
     appointment.cancelled_at = datetime.now(timezone.utc)
@@ -346,6 +353,13 @@ async def admin_cancel_appointment(
             detail=f"Cannot cancel appointment with status '{appointment.status.value}'"
         )
     
+    # Check if appointment is in the past
+    if appointment.slot_start <= datetime.now(timezone.utc):
+        raise HTTPException(
+            status_code=400,
+            detail="Cannot cancel a past appointment"
+        )
+    
     # Cancel the appointment
     appointment.status = AppointmentStatus.CANCELLED_BY_ADMIN
     appointment.cancelled_at = datetime.now(timezone.utc)