Add Key Vault RBAC private access fixtures

[jddark62]

Summary

Strengthens azure-review for Key Vault RBAC transition and private endpoint enforcement.

This adds:

• Key Vault RBAC evidence requirements for data-plane role assignments, management-plane grant authority, group expansion, live role export, migration drift, owner, expiry, and review evidence.
• Private access enforcement checks for public network access, firewall default action, AzureServices bypass, private endpoint subresource, private DNS, client resolution, diagnostics, and deployment-agent exceptions.
• Output fields for evidence confidence, Not Evaluable reasons, and a Key Vault RBAC/private access evidence table.
• Seven YAML calibration fixtures covering controlled RBAC/private access, broad data-plane admin roles, migration drift, public paths left open, missing private DNS, unsupported bypass exceptions, and hosted CI/CD access exceptions.

Validation

• git diff --check
• Skill frontmatter YAML parse
• Fixture YAML parse: 7 YAML blocks
• Markdown fence balance check
• Public-file privacy scan
• Microsoft Learn references checked for Key Vault RBAC, RBAC migration, and network security pages

/claim #1511

Payment details can be coordinated privately after maintainer acceptance.