Only use SIM certificates for determining Carrier Provisioning package

This change closes a loophole potentially introduced during the
migration of carrier config packages to CarrierPrivilegesTracker, where
any carrier privileged application could be marked as a carrier
provisioning service, which would potentially allow chaining of
certificates and associated privileges infinitely.

Bug: 267809568
Test: atest CarrierPrivilegesTrackerTest
Change-Id: I16a80428c378a3c555722ca0349e4047d84abe10
Merged-In: I16a80428c378a3c555722ca0349e4047d84abe10
(cherry picked from commit 5f2cc3b8)