fix(jwt-bundle): honor jwt-svid use when loading authorities

[maxlambrecht]

What

Enforce SPIFFE bundle semantics for JWT-SVID keys when loading JWT bundles. Only JWKs with use=jwt-svid are treated as JWT authorities, kid remains required for those JWT-SVID keys, and entries for other SVID types or unknown key types are ignored instead of being used as JWT authorities.

Why

Previously, JWT bundle ingestion accepted all EC/RSA JWKs regardless of the use parameter. This could cause incorrect behavior when consuming generic or mixed SPIFFE bundles, where keys for x509-svid or other usages might be present alongside JWT-SVID keys. The SPIFFE JWT-SVID and SPIFFE Bundle specifications require that JWT-SVID signing keys be selected via use=jwt-svid and that kid be present. Aligning the implementation with these semantics ensures only intended JWT-SVID keys are used for JWT validation and avoids treating other keys as JWT authorities.

How tested

Updated JwtBundleTest to:

• Verify that a JWKS containing one jwt-svid key and one x509-svid key only loads the jwt-svid key as a JWT authority.
• Confirm that JWT-SVID keys missing kid still fail with JwtBundleException
• Ensure that non-JWT-SVID unknown-key-type entries are ignored.

[maxlambrecht]

Closing this PR. The use == "jwt-svid" filtering I added was based on SPIFFE trust bundle semantics, but this code only consumes JWT bundles from the Workload API, not raw SPIFFE trust bundles.

Per the Workload API spec, FetchJWTBundles already returns JWK Sets for JWT-SVID signing keys, so re-filtering by use in the client path is not appropriate here.