Switch API App Insights auth to Managed Identity

[davidortinau]

Tracking issue surfaced during PR #166.

Current state

The API authenticates to App Insights (sstudio-mobile-ai) via an embedded connection string in appsettings.Production.json. Works, but it's a long-lived secret in source-ish config.

Target state

Replace the connection string with DefaultAzureCredential so the API's Container App managed identity authenticates directly to the App Insights workspace. No embedded key.

Work required

• Grant the API Container App's managed identity the Monitoring Metrics Publisher role on the App Insights resource (and whatever ingestion roles the current SDK needs)
• Update Program.cs / OTel wiring to use AddAzureMonitorExporter with credential-based auth (or equivalent)
• Remove the connection string from appsettings.Production.json
• Verify telemetry still flows post-switch (same KQL smoke suite as PR Server-side App Insights: close mobile↔API correlation loop #166)
• Document the identity→role grant in the runbook for future RG re-provisions

Context: PR #166