[Role] Feature: Add az role deny-assignment create/delete commands

[jruttle]

DescriptionAdds az role deny-assignment create and az role deny-assignment delete commands for managing user-assigned deny assignments, matching the existing az role assignment pattern.This implements the PUT/DELETE operations added in the Microsoft.Authorization/denyAssignments API (2024-07-01-preview), as specified in TypeSpec PR #41617.### Two Assignment ModesThe create command supports two modes for targeting principals:Everyone mode (default): Denies all principals at the scope. At least one excluded principal is required via --exclude-principal-ids:az role deny-assignment create --name "DenyAll" --scope /subscriptions/{sub} \ --actions "Microsoft.Compute/virtualMachines/delete" \ --exclude-principal-ids {your-object-id}Per-principal mode: Denies a specific User or ServicePrincipal via --principal-id and --principal-type:az role deny-assignment create --name "DenyUser" --scope /subscriptions/{sub} \ --actions "Microsoft.Compute/virtualMachines/delete" \ --principal-id {user-object-id} --principal-type User### Service ConstraintsUser-assigned deny assignments have specific restrictions enforced by the service:- Group principals are not permitted ΓÇö only User or ServicePrincipal- No DataActions ΓÇö only Actions/NotActions are supported- No Read actions ΓÇö actions like */read are not permitted- No DoNotApplyToChildScopes ΓÇö this property is not supported- Single principal per UADA ΓÇö one principal per deny assignment (enforced by backend)### Commands- az role deny-assignment list ΓÇö List deny assignments (existing, enhanced)- az role deny-assignment show ΓÇö Show a deny assignment (existing, enhanced)- az role deny-assignment create ΓÇö Create a user-assigned deny assignment- az role deny-assignment delete ΓÇö Delete a user-assigned deny assignment### Files Changed- commands.py ΓÇö Command registration for role deny-assignment group- custom.py ΓÇö Business logic with dual-mode principal handling and validation- _params.py ΓÇö Parameter definitions including --principal-id and --principal-type- _help.py ΓÇö Help text with examples for both Everyone and per-principal modes- linter_exclusions.yml ΓÇö Exclusions for long parameter names- tests/latest/test_deny_assignment.py ΓÇö Unit tests (list, show, CRUD, per-principal, Group rejection, param validation)### Dependency> Note: The create and delete operations depend on the Python SDK PR azure-sdk-for-python#46223 being merged first. This PR pins azure-mgmt-authorization to 5.0.0b2 (released 7 May 2026 on PyPI), which includes the create_or_update and delete methods on DenyAssignmentsOperations.### TestingTests are included in test_deny_assignment.py. Full end-to-end testing requires:1. A subscription with the Microsoft.Authorization/SubscriptionAllowedToOperateUserAssignedDenyAssignment feature flag registered2. The updated Python SDK with create/delete support### Related- TypeSpec PR: azure-rest-api-specs#41617 (merged)- Python SDK auto-gen PR: azure-sdk-for-python#46223 (awaiting review)- Go SDK auto-gen PR: azure-sdk-for-go#26544 (awaiting review)- Java SDK auto-gen PR: azure-sdk-for-java#48751 (awaiting review)- JS SDK auto-gen PR: azure-sdk-for-js#38079 (awaiting review)- PowerShell PR: azure-powershell#29340 (merged Γ£à)