feat: support BackendCluster for Remote JWKS

[zhaohuabing]

This PR introduces support for representing JWT remote JWKS as Backend resources. With this enhancement, users can:

• Specify a self-signed CA: use BackendTLSPolicy to define a self-signed CA for the remote JWKS
• Configure retry policies: use rmoteJWKS.backendSettings.retry to sepecify the retry policy for the remote JWKS

Implements: #3536
Release Notes: Yes

[codecov]

Codecov Report

Attention: Patch coverage is 76.97368% with 35 lines in your changes missing coverage. Please review.

Project coverage is 66.65%. Comparing base (4d5d3f0) to head (82a48aa).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/gatewayapi/securitypolicy.go	80.17%	16 Missing and 7 partials ⚠️
internal/xds/translator/jwt.go	66.66%	8 Missing and 4 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5011      +/-   ##
==========================================
- Coverage   66.78%   66.65%   -0.13%     
==========================================
  Files         209      208       -1     
  Lines       32264    32300      +36     
==========================================
- Hits        21547    21531      -16     
- Misses       9421     9460      +39     
- Partials     1296     1309      +13     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[zhaohuabing]

SecuritcyPolicy validation has been moved from the xds translation to the API translation. This change allows validation errors to be caught earlier and reflected in the SecurityPolicy status.