Streaming destinations should not be created for subgroups via API

Current behavior

Our GraphQL API currently allows for destinations for audit events at the subgroup-level.

From https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/graphql/mutations/audit_events/external_audit_event_destinations/create.rb

def resolve(destination_url:, group_path:)
  group = authorized_find!(group_path)
  destination = ::AuditEvents::ExternalAuditEventDestination.new(group: group, destination_url: destination_url)

  audit(destination, action: :create) if destination.save

  { external_audit_event_destination: (destination if destination.persisted?), errors: Array(destination.errors) }
end

private

def find_object(group_path)
  ::Group.find_by_full_path(group_path)
end

Expected behavior

Destinations should only be allowed to be set up at the root group-level.

Technical implementation

Attempting to create a destination on a subgroup should return a 400 Bad Request error.