Provide a better way to limit token access to Vault secrets based on group membership

This is a follow-up to #435848 (closed).

!146881 (merged) added a groups_direct claim to the CI JWT token, but this caused the token to balloon in size since HTTP headers may be constrained by size by the Web/proxy server.

In !161075 (merged), groups_direct has been put behind the ci_jwt_groups_direct feature flag in GitLab versions 17.2.2, 17.1.4, 17.0.6, 16.11.8.

We should find a more robust solution for solving this problem. Some initial are ideas in #467253 (comment 2021027290).