`pip` integration: figure out feature gating in `pip-audit`

[woodruffw]

Breakout from #335: we need to design an ergonomic "feature gate" scheme for pip-audit, to handle the following deployments:

• python -m pip install pip-audit (and all third-party packages): support for SBOM generation, the OSV vulnerability service, etc.
• pip audit: no support for -s osv, --format=spdx-..., etc.

Some ideas:

• If "default" extras were possible, we could define osv and spdx extras that pip install would activate by default. Unfortunately, default extras are currently not possible.
• We could probably get away with a single feature flag, something like pip_audit.VENDORED_INTO_PIP, which we then just use to remove a handful of CLI options and prevent importing pip_audit._format.cyclonedx.

[di]

In di/pip-api#138 I made a pip_api.VENDORED flag, I would imagine we would do something similar here and could gate functionality on that. I'm not sure it needs to be specific to who has vendored us.