fix(dgw): correct CredSSP credential injection for RDCleanPath (#1668)

Fixes several issues in the RDCleanPath credential injection flow:

- Used wrong public key for client-side CredSSP: was using target
server's public key instead of gateway's own public key. When performing
credential injection, the client performs CredSSP authentication against
the gateway.

- Hardcoded HYBRID_EX security protocol regardless of client support:
now properly negotiates based on what the client actually advertises.

- Global cache for gateway public key only stored one entry: if multiple
TLS acceptors with different certificates existed, wrong key could be
returned. Now uses per-acceptor caching keyed by config pointer.

- Missing `intercept_connect_confirm` call: the Connect Initial PDU
wasn't being intercepted to update the server_selected_protocol field,
causing protocol mismatch issues.

- Token mismatch not verified: credential entry token wasn't compared
against the received cleanpath PDU token.

- Redundant authorization: `handle_with_credential_injection` was
re-authorizing the token when `process_cleanpath` already does it. Now
reuses claims from `process_cleanpath`.

- Unused `_credential_store` parameter in `process_cleanpath`.

- TLS utilities (`extract_tls_server_public_key`, `GetPeerCert`,
`get_cached_gateway_public_key`) moved from rdp_proxy.rs to tls.rs.

- Unnecessary `Sync + 'static` bounds on async stream types reduced to
just `Send`.

- Replaced `#[allow(...)]` with `#[expect(...)]` for suppressions.

- Simplified `NetworkClient` struct into `send_network_request`
function.

- Various error handling improvements using `.context()` instead of
`anyhow::anyhow!()`.

- Updated sspi-rs with important fixes.

Changelog: ignore

Author: CBenoit