use more CEL webhookConfiguration.matchConditions in disallow-default Kyverno policy

This policy today results in frequent Kyverno webhook calls.

This is less efficient and introduces a fragility point (when the Kyverno webhook isn't available, API requests will fail).

!2774 (merged) has introduced some APIserver-side CEL criteria, but we should make all the conditions of this policy as CEL webhookConfiguration.matchConditions so that this policy will typically never trigger webhook calls.

/cc @feleouet