gnutls with allowlisting doesn't allow enabling sigalgs with priority strings

a signature algorithm disabled through allowlisting (e.g. with crypto-policies) cannot be reenabled back with priority strings alone

How reproducible: reliably

Steps to Reproduce (you can find the full steps in the attached reproducer):

1. remove mentions of RSA-PSS-RSAE-SHA256 from gnutls config, e.g., using a sign = -RSA-PSS-RSAE-SHA2-256 subpolicy
2. attempt a connection from a client to the server which both use @SYSTEM:-SIGN-ALL:+SIGN-RSA-PSS-RSAE-SHA256 as a priority string

Actual results: <4> HSK[0x55f399502800]: CERTIFICATE VERIFY (15) was received. Length 260[260], frag offset 0, frag length: 260, sequence: 0 <4> HSK[0x55f399502800]: Parsing certificate verify <4> HSK[0x55f399502800]: verifying TLS 1.3 handshake data using RSA-PSS-RSAE-SHA256 <3> ASSERT: pubkey.c[pubkey_verify_data]:2426 <3> ASSERT: pubkey.c[gnutls_pubkey_verify_data2]:1942 <3> ASSERT: tls13-sig.c[_gnutls13_handshake_verify_data]:128 <3> ASSERT: tls13/certificate_verify.c[_gnutls13_recv_certificate_verify]:131 <3> ASSERT: handshake-tls13.c[_gnutls13_handshake_client]:129

        Fatal error: One of the involved algorithms has insufficient security level.

<5> REC: Sending Alert[2|71] - Insufficient security

Expected results: connections succeeds and uses RSA-PSS-RSAE-SHA256