image: Fix fsck false-positive for rollback images not in containers-storage

When a composefs deployment's rollback image is in the composefs OCI repo
(has a bootc GC tag) but has been removed from containers-storage,
`bootc internals fsck images` incorrectly reported FAIL.

Rollback deployments may legitimately have their image absent from
containers-storage. After a `bootc switch`, cleanup paths
(`prune_container_store` or the composefs GC) may remove the rollback's
image from containers-storage since only the current deployment's image name
may appear in the booted spec. The rollback image stays in composefs (it's
still a live deployment), but fsck was checking ALL composefs tags against
containers-storage without regard to whether each tag corresponds to a live
deployment.

Fix by cross-referencing composefs tags against live deployment manifests
before checking containers-storage. Each live composefs deployment stores
its manifest digest in a state-dir origin file; we collect these digests
and only enforce containers-storage presence for images whose manifest
appears there. Tags for stale/obsolete images (not backed by any live
deployment) are silently skipped — they will be collected by the next
`composefs-gc` run.

Also fix `list_host_images_composefs` to match by config digest (image ID)
rather than manifest digest when cross-referencing between composefs and
containers-storage. Podman may report a different manifest digest after
layer recompression, but the config digest is stable.

Assisted-by: OpenCode (Claude Sonnet 4.6)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters