KeyMint VTS: ATTEST_KEY has no other purpose

The KeyMint spec has always required that keys with the ATTEST_KEY
purpose "must not have any other purpose".

Add explicit tests for combined-purpose keys to be rejected.

Also expand the spec text to require a specific error code, and to
explain the rationale for single-purpose ATTEST_KEY keys.

Bug: 197096139
Test: VtsAidlKeyMintTargetTest
Change-Id: I2a2014f0ddc497128ba51bb3f43671f759789912