fix(dgw): correct CredSSP credential injection for RDCleanPath

[CBenoit]

Fixes several issues in the RDCleanPath credential injection flow:

• Used wrong public key for client-side CredSSP: was using target server's public key instead of gateway's own public key. When performing credential injection, the client performs CredSSP authentication against the gateway.

• Hardcoded HYBRID_EX security protocol regardless of client support: now properly negotiates based on what the client actually advertises.

• Global cache for gateway public key only stored one entry: if multiple TLS acceptors with different certificates existed, wrong key could be returned. Now uses per-acceptor caching keyed by config pointer.

• Missing intercept_connect_confirm call: the Connect Initial PDU wasn't being intercepted to update the server_selected_protocol field, causing protocol mismatch issues.

• Token mismatch not verified: credential entry token wasn't compared against the received cleanpath PDU token.

• Redundant authorization: handle_with_credential_injection was re-authorizing the token when process_cleanpath already does it. Now reuses claims from process_cleanpath.

• Unused _credential_store parameter in process_cleanpath.

• TLS utilities (extract_tls_server_public_key, GetPeerCert, get_cached_gateway_public_key) moved from rdp_proxy.rs to tls.rs.

• Unnecessary Sync + 'static bounds on async stream types reduced to just Send.

• Replaced #[allow(...)] with #[expect(...)] for suppressions.

• Simplified NetworkClient struct into send_network_request function.

• Various error handling improvements using .context() instead of anyhow::anyhow!().

• Updated sspi-rs with important fixes.

Changelog: ignore