Implement new `create_runner` PPGAT scope

Currently, the POST /user/runners REST API requires the api scope on a token. This carries a lot of risk when the goal is just to create new runners. So we should create a create_runner scope that serves only for creating runners, as suggested in https://gitlab.com/gitlab-org/gitlab-runner/-/issues/25351#note_854111575.