[GEP-26] Support workload identity tokens for cloud provider CLIs

[petersutter]

What would you like to be added:
With GEP-26, a new WorkloadIdentity resource is introduced. This resource is comparable to ServiceAccounts, for which tokens can be requested by creating a security.gardener.cloud/v1alpha1.TokenRequest. This is similar to the TokenRequest API for service accounts.

It should be possible to request such tokens via gardenctl to configure the cloud provider CLIs. This is similar to how it is currently done with the provider-env command, which uses the static cloud infrastructure credentials stored as secrets in the garden cluster.

Why is this needed:

[gardener-ci-robot]

The Gardener project currently lacks enough active contributors to adequately respond to all issues.
This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten

/close