[release/9.0.1xx] Backport "Pin Base Image via Digest" to release/9.0.2xx

[github-actions]

Backport of #45594 to release/9.0.1xx due to @tmds's request in #45856.

Fixes #45856

Description

This feature was implemented in #44461 and is being included in the 9.0.2xx band with #45594.

The feature enables pinning the base image to a specific digest. This enables to control and determine the exact version of a container image tag that was used, which is important for software supply chain (SBOMs) and reproducibility of build environments.

• Source-built SDKs are limited to the .1xx band. Unless it gets backported, the feature isn't available for source-built SDKs until .NET 10. If we backport it in our builds, we land on the next point*.
• The current behavior of the 9.0.1xx band is to ignore the digest rather than give an error. This makes it undetermined what digest was effectively used. It would be preferable to have the digest work across all 9.0 bands, rather than rely on the user to know the 9.0.1xx band doesn't support it (*: or know the source-built maintainers chose to backport it manually).

Customer Impact

Without this change, the second bullet point is the big sticking point - users can provide a Digest, but the tooling will not make use of the digest.

Regression?

No - this is a new feature in 9.0.2xx

Risk

Low - we have good (new) test coverage here, and this doesn't change any of the logic around consuming the base images themselves, only the selection of which base image to use.