impl(oauth2): use impersonated email for RAB with external accounts

[scotthart]

Retrieving the RAB token when external credentials impersonate a service account, should use the service account in lieu of the workforce or workload identity information.

[gemini-code-assist]

Code Review

This pull request implements support for extracting the service account email from the service_account_impersonation_url in external account credentials, in compliance with AIP-4117. It updates ExternalAccountImpersonationConfig to include an email field, which is then used in AllowedLocationsRequest when regional access boundaries (RAB) are enabled. The changes also replace several instances of absl::optional with std::optional and add corresponding unit and integration tests to verify the new behavior. There are no review comments, and I have no additional feedback to provide.

[codecov]

Codecov Report

❌ Patch coverage is 96.55172% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.72%. Comparing base (3cda322) to head (cff1720).

Files with missing lines	Patch %	Lines
...ud/internal/oauth2_external_account_credentials.cc	95.34%	2 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #16139   +/-   ##
=======================================
  Coverage   92.72%   92.72%           
=======================================
  Files        2356     2356           
  Lines      220557   220594   +37     
=======================================
+ Hits       204501   204538   +37     
  Misses      16056    16056           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.