Improve errors for aws login with an unbound ARN

[mikegrass]

During AWS login / renew, vault has logic to try to match the caller's identity against one of the BoundIamPrincipalARNs associated with the vault role.

The third step of this logic is to try to match any wildcard entries in the BoundIamPrincipalARNs for the vault role to the fully-resolved ARN of the caller's identity.

In some environments, especially with cross-AWS account logins, resolving the full ARN is unlikely to succeed, which leads to rather confusing error messages:

2020-08-24T01:46:41.442Z [ERROR] auth.handler: error authenticating: error="Error making API request.
URL: PUT https://vault.company.com/v1/auth/aws/login
Code: 400. Errors:
* error looking up full ARN of entity &{aws 123456789012 assumed-role  my-role some-session}: error fetching role "my-role": NoSuchEntity: The role with name my-role cannot be found.
        status code: 404, request id: f0256e67-fd5f-4e45-b457-f456570bf6bb" backoff=2.852132462

However, resolving the full ARN only needs to be done if there are any wildcard entries in BoundIamPrincipalARNs, since the full ARN is only used in that path.

This PR:

1. Checks for wildcard entries in BoundIamPrincipalARNs before trying to resolve the full ARN. If there are none, it immediately returns with an error indicating the vault role is not bound to the caller's ARN, shortcutting the logic to resolve the full ARN (which wouldn't have been used anyway since there are no wildcard entries).
2. Augments error messages returned in this path to include the vault role, which can be helpful information for support teams when customers copy & paste the error message from the vault login call (currently a frequently-asked follow-up question is, "which vault role were you trying to log in with?").

[hashicorp-cla]

All committers have signed the CLA.