Use instance_identifier for SM trial Cloud Connector tokens to fix header mismatch

Problem

In !13294, we introduced TrialAccountGitlabInstance to support Cloud Connector access tokens for SM cloud licensing trials. At the time, we used unique_instance_id instead of instance_identifier because:

1. SM cloud licensing trials require a minimum GitLab version that ensures this field is present
2. It provides better security than the client-provided instance_identifier

However, during testing of Duo Core features with SM trials (!14001), we discovered that this approach causes a mismatch between the JWT token claims and the headers sent to AI Gateway, resulting in authentication failures.

Technical Details

The issue stems from how AI Gateway validates requests:

• GitLab Instance ID header: GitLab sends the GitLab instance ID in the X-Gitlab-Instance-Id header
• JWT token subject: The Cloud Connector token contains unique_instance_id as the subject (sub claim)
• JWT token gitlab_instance_uid: Also set to unique_instance_id

AI Gateway requires that the sub claim in the JWT token matches the X-Gitlab-Instance-Id header. This validation currently fails.

Proposal

Update the Cloud Connector logic for trials to use instance_identifier instead of unique_instance_id, aligning with the approach used for paid subscriptions (BillingAccountGitlabInstance).

This will:

• Fix the JWT/header mismatch preventing Duo Core features from working
• Ensure consistency across our Cloud Connector implementation
• Simplify the logic for generating gitlab_instance_uid