Remove IDENTITY_ENDPOINT requirement for managed identity Azure Blob auth

[Copilot]

The entrypoint's abs:// validation required IDENTITY_ENDPOINT to accept managed identity, but Azure Container Apps provides managed identity credentials automatically without that variable being visible at the shell level — causing valid managed-identity deployments to fail the startup check.

Changes

• scripts/container-entrypoint.sh: Replaced the single ||-chain check with a structured approach:

  • Account key and service-principal paths are validated as before
  • Partial service-principal credentials (any of AZURE_CLIENT_ID/AZURE_TENANT_ID/AZURE_CLIENT_SECRET present but not all three) produce a clear error
  • No explicit credentials → managed identity assumed; no validation, consistent with how the Azure SDK resolves credentials on Container Apps

  # Before — blocked valid managed-identity deployments unless IDENTITY_ENDPOINT was set
  env_var_is_populated "LITESTREAM_AZURE_ACCOUNT_KEY" \
      || { env_var_is_populated "AZURE_CLIENT_ID" && ... } \
      || env_var_is_populated "IDENTITY_ENDPOINT" \
      || log_error "..."
  
  # After — managed identity is the implicit fallback; only partial SP creds are an error
  if env_var_is_populated "AZURE_CLIENT_ID" \
      || env_var_is_populated "AZURE_TENANT_ID" \
      || env_var_is_populated "AZURE_CLIENT_SECRET"; then
      env_var_is_populated "AZURE_CLIENT_ID" || log_error "..."
      env_var_is_populated "AZURE_TENANT_ID" || log_error "..."
      env_var_is_populated "AZURE_CLIENT_SECRET" || log_error "..."
  fi
  # If no explicit credentials are provided, managed identity is assumed.

• templates/azure-container-apps.template.yaml: Expanded the shared-key auth comment with a concrete commented-out YAML example showing both the secrets: entry and the corresponding secretRef env var.