ci: migrate release pipeline to 1ES Official template with ESRP siging and NuGet push

[Mielek]

Replace the legacy onebranch-based release pipeline with a 1ES Pipeline Template extends shape that:

• Extends v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates on Azure-Pipelines-1ESPT-ExDShared (windows-2022) so all signing steps run on a Windows 1ES-managed pool.
• Builds + tests the main solution with --configuration Release (the previous pipeline silently produced Debug-compiled nupkgs).
• Signs produced toolkit assemblies with EsrpCodeSigning@5 using Authenticode (CP-230012) before pack so signed binaries end up inside the .nupkg. Pattern is restricted to our owned files (Authoring, Analyzers, Core, Compiling.{dll,exe}, Decompiling.{dll,exe}, Testing) to avoid signing third-party dependencies pulled into bin.
• Packs with --no-build so the signed assemblies are embedded.
• Signs produced *.nupkg with EsrpCodeSigning@5 using the NuGet signing profile (CP-401405) and verifies the signature with nuget verify -All.
• Restores + builds + tests the example solution as a sanity check that the freshly produced (and, on tagged runs, signed) packages work end-to-end through the example's ../output package source.
• Publishes the signed packages as a 1ES pipelineArtifact (SignedPackages).
• Adds a publish deployment stage (templateContext.type: releaseJob, isProduction: true, environment nuget-org) that pushes the signed packages to NuGet.org via 1ES.PublishNuget@1 against the api-management-policy-toolkit-nuget-connection service connection.

All signing, package verification, and publishing steps are tag-gated with startsWith(variables['Build.SourceBranch'], 'refs/tags/v'). Manual non-tag runs still execute the full build + test path (sanity check) but skip ESRP signing and NuGet push.