Fix policy violation registration to consider branch rules before creating violations

Problem

Based on the spike research in #553189 (closed), we've identified that security policy violations are currently registered for all branches and filtered later during evaluation. This creates:

• Technical debt in the violation system
• False positive violation details in Policy Bot comments
• Confusing approval settings behavior where policies apply regardless of branch rules
• Performance inefficiencies

Solution

Implement pre-filtering of policy violations based on branch rules before registration, rather than registering all violations and filtering them later.

Key changes

• In ee/app/models/approval_project_rule.rb:265 , add branch matching evaluation before violation registration

Spike MR !211374 (diffs)