Guard setting of remote entry with a permission

As part of API feedback review from internal alignment on allowing a single remote
entry provider only, based on OEM config + permission.

Currently the permission is being checked in CredentialProviderService,
so as to throw the SecurityException in the provider process. This change
also contains a second round of check for the permission and the OEM
configured provider, in the system server. If the second layer of checls
fail, the entry is silently ignored.

Bug: 267665515
Test: built & deployed locally

Change-Id: Ia6bd81da2f19226df469eb733054e46bdfa98e69