feat: add device_public_key_fingerprint cross-layer binding

[felippemsc]

Summary

• Add device_public_key_fingerprint field to CaptureTrustClaims JWT struct
• Add DevicePublicKeyFingerprintMismatch error variant
• Add verify_device_public_key_fingerprint() integrity check that computes SHA-256(base64_decode(public_key)) and compares to the JWT claim
• Wire fingerprint verification into the validation pipeline (validate.rs)
• Expose fingerprint_match in MediaIntegrityResult and device_public_key_fingerprint in CaptureTrustResult
• Update Python bindings to expose new fields
• Update CLI output to display fingerprint check result

Test plan

• All 25 unit tests pass
• Doc-test passe
• Manual test: validate a sidecar with matching fingerprint → passes