Fix SM direct access spec to expect 403

What does this MR do and why?

MR !226059 (merged) added SelfHostedDapBilling.self_hosted_dap_billing_enabled? to forbid_direct_access?, causing the /api/v4/code_suggestions/direct_access endpoint to return 403 for any self-managed instance using an online cloud license. This caused the self-managed direct-access specs to fail unexpectedly and be quarantined as :stale.

This MR updates the shared examples to use a direct_access_forbidden flag (defaulting to false) so each context can declare its expected behaviour:

References

https://gitlab.com/gitlab-org/quality/test-failure-issues/-/work_items/41699+

Screenshots or screen recordings

N/A — test-only change.

How to set up and validate locally

1. Ensure you have a self-managed GDK instance running with an online cloud license and a Duo Enterprise add-on with a seat assigned.

2. Run the orchestrated spec against your instance:

   bundle exec rspec qa/qa/specs/features/ee/api/3_create/code_suggestions_spec.rb      --tag orchestrated --tag ai_gateway

3. Confirm the three when seat is assigned examples pass, asserting Unexpected status code 403.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.