secrets/azurekeyvault: add a way to use az CLI auth; provide a better resource default

[vangent]

Fixes #2462.

1. If you set AZURE_KEYVAULT_AUTH_VIA_CLI to a truthy value, the default URLOpener will now get authorization from the az CLI instead of from the environment (there are 2 different functions in the Azure auth library for this). We also expose both forms via the existing Dial and a new DialUsingCLIAuth.

2. If you provide a AZURE_AD_RESOURCE, we use it, but if you don't, we use https://vault.azure.net. The Azure auth library defaults it to the "management" resource, which is wrong for KeyVault.

3. Fixed a bug in URL parsing where the URL was parsed incorrectly if the version was included.

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@93e40be). Click here to learn what that means.
The diff coverage is 58.33%.

@@            Coverage Diff            @@
##             master    #2463   +/-   ##
=========================================
  Coverage          ?   70.38%           
=========================================
  Files             ?      118           
  Lines             ?    13611           
  Branches          ?        0           
=========================================
  Hits              ?     9580           
  Misses            ?     3366           
  Partials          ?      665

Impacted Files	Coverage Δ
internal/cmd/gocdk/internal/static/vfsdata.go	84.94% <100%> (ø)
secrets/azurekeyvault/akv.go	77.27% <56.52%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 93e40be...4c4548d. Read the comment docs.