ARO-12034 Fix CheckAccessV2 usage for MIWI dynamic validation

[rajdeepc2792]

Which issue this PR addresses:

Fixes https://issues.redhat.com/browse/ARO-12034

What this PR does / why we need it:

After #3920 got merged, the MIWI cluster dynamic validation fails as the access token is mandatory to use checkAccessV2.
But since Platform Workload Identities are used via Federated Credentials or OIDC way, the access token for them can only be fetched after KubeAPI Server is up. So, for the fix, when validating Platform Workload Identity, we won't be using the access token and also won't be using the Group Expansion.

Related Thread:- https://redhat-external.slack.com/archives/C03F6AA3HDH/p1730225417576639

Test plan for issue:

[] Unit Test Cases
[] Local Cluster Creation
[] CI
[] E2E

Is there any documentation that needs to be updated for this PR?

Update the Customer Facing documentation for MIWI, such that the customer should only perform the role assignment directly on the platform workload identity and shouldn't be adding the identities to group for the role assignment.

How do you know this will function as expected in production?

Testing in local and canary.

[kimorris27]

So, for the fix, when validating Platform Workload Identity, we won't be using the access token and also won't be using the Group Expansion.

I'm a little confused. My reading of the new code is that changes are being made not to the platform identity validation but to the cluster MSI validation, and that the cluster MSI is no longer being validated. I find check access v2 confusing in general though. Could you help me understand it a bit better?