feat: add extra claims to self-issued token and verify it

What does this merge request do and why?

Related issue: https://gitlab.com/gitlab-org/modelops/applied-ml/code-suggestions/ai-assist/-/issues/1735+

This MR enhances the self-issued token security by adding extra claims for project and namespace metadata, and implements verification to ensure these claims match the request headers.

Changes

Token Generation (/code/user_access_token endpoint)

• Removed validation for X-Gitlab-Global-User-Id, X-Gitlab-Instance-Id, and X-Gitlab-Realm headers (now sourced from token claims)
• Added support for extra claims in self-issued tokens for SaaS environments:
  • gitlab_project_id
  • gitlab_namespace_id
  • gitlab_root_namespace_id
• Extra claims are only added when gitlab_realm is "saas" to prevent arbitrary values from self-managed instances
• Updated to use current_user.global_user_id and user_claims from the authenticated token

Token Verification (Proxy endpoints)

• Added new verify_project_namespace_metadata() decorator to validate request headers against token claims
• Applied verification to all proxy endpoints (Anthropic, OpenAI, Vertex AI)
• Verifies that the following headers match the token claims:
  • Instance ID
  • Project ID
  • Namespace ID
  • Root namespace ID
• Returns 403 Forbidden on mismatch

Dependencies

• Updated gitlab-cloud-connector to version ^3.15.1 to support the new UserClaims and extra claims functionality

Tests

• Refactored user access token tests to separate SaaS and self-managed scenarios
• Added tests for extra claims in SaaS tokens
• Added comprehensive mismatch tests for all proxy endpoints
• Updated all test fixtures to include required claims and headers