Introduce annotation sanity checks

[jedevc]

🛠️ Fixes #3277, by preventing confusion around what functionality is supported.

This PR resolves two issues with annotation attachment, where inputs will be accepted even if they are not used - we should explicitly error in these cases.

1. Index + Index descriptor annotations are not supported for single platform builds produced by the Dockerfile so we should explicitly error (@tonistiigi, should we have a user accessible way to force this? We can the FrontendAttrs["multi-platform"] key, but could we also expose a build-arg? Automatically detecting annotations like attestations and using ForceRefsProcessor is possible but kind of ugly here, since we'd have to parse exporter options before doing a solve).
2. Valid platforms that are part of annotations but are not built as part of the resulting image cannot be included and so should explicitly error.

[tonistiigi]

Would be good if we could detect this before running the whole build.

[jedevc]

Would be good if we could detect this before running the whole build.

Agreed - unfortunately, I don't think there's a whole lot we can do before. It's not known before a build whether a frontend will produce a single Ref or multiple Refs (e.g. a single platform might produce a map of one ref, or just a ref), so we can't know whether we'll generate a manifest or an index before we run the build.

The frontend itself can also add annotations to the map, so we don't even know all the annotations to add to the image, though if we could get around the above, then we could just check the user-provided annotations at the beginning, and then check the frontend-provided annotations at the same point as the PR currently does.