Bug: Twoliter does not validate that the kit or sdk version = field in the lock matches the source url correctly

[jmt-lab]

We had an occurence where a developer accidentally commited a manual edit of a Twoliter.lock file leading to the version field for the sdk entry to mismatch with the resolved source = "" uri. While this will not cause any issues as the actual object pulled when lockfile is used by twoliter will always be the source it adds ambiguity.

Example human modification that put the lock file into invalid state:

schema-version = 1
kit = []

[sdk]
name = "bottlerocket-sdk"
version = "0.50.0"
vendor = "bottlerocket"
source = "public.ecr.aws/bottlerocket/bottlerocket-sdk:v0.50.1"
digest = "HEh3Lx3F6P4OEPnFubF++RMpMW2vlfp/Tc/tGjnBRcM="

We should make sure our validation when we load a lockfile ensures that the version -> source tag since pubsys will always publish kits currently with that tagging scheme.