Do not allow creating epic notes when synced work item is locked

What does this MR do and why?

Related to #474245

Update epic policies to check if the synced work item is locked to prevent creating new notes.

This check was previously unnecessary because epics could not be locked but this is now possible since the migration to work items where each epic has an associated work item record that includes the attribute discussion_locked.

Note that it's not a security concern because we can only access the work item if the feature flag work_item_epics is enabled, which hasn't been rolled out yet.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability. ✅

How to set up and validate locally

1. In the console, create an epic in a public group and take note of its ID and its group ID

group = Group.first
user = User.first
epic = Epics::CreateService.new(group: group, current_user: user, params: { title: "Test Locked Epic" }).execute

2. Login with a user that is not a member of the epic's group and create an access token with API support in http://127.0.0.1:3000/-/user_settings/personal_access_tokens
3. With this tocken, verify that a new note can be added to the epic via REST

export GROUP_ID=<Your Group Id>
export EPIC_ID=<Your Epic Id>
export GITLAB_PAT=<your api token>

curl -X POST -H "Authorization: Bearer $GITLAB_PAT" -d body=Hello http://127.0.0.1:3000//api/v4/groups/$GROUP_ID/epics/$EPIC_ID/notes

4. Back in the console, lock the synced work item

epic = Epic.find(<Your Epic Id>)
epic.work_item.update!(discussion_locked: true)

5. Repeat the request from step 4 and verify that it responds with {"message":"403 Forbidden"}