Constrain account balances to positive numbers

When trying out a simple failure path I noticed that the input generation script, and snark witness calculation both pass if an account holder transfers more tokens than they have in their balance.  I didn't try it but assume proofs will pass verification too. I think we can fix this by adding constraints that the updated sender account balance is greater than 0.