Implement per-project limits on ProjectScopeLink

What does this MR do and why?

This prevents the creation of new ProjectScopeLink records in a particular direction if a project already has 100 or more links in that direction.

The change was detailed in #333768 (closed). We're shipping this first as a simple hardcoded limit to implement the limiting logic, and will follow up with another MR to make the limit configurable as a PlanLimit.

Importantly, it does not invalidate existing ProjectScopeLinks so if there's a self-managed customer that's over this limit, the existing link structure won't break. They'll just not be allowed to create more.

We're not putting this limit behind a feature flag, because the whole feature is still behind the ci_inbound_job_token_scope feature flag which is currently defaulted to off. If a SM customer is over the limit, it means they've opted in to an unreleased feature, and the release note we'll include with 15.9 is sufficient notice.

We know that there are no SaaS customers with projects over this limit.

How to set up and validate locally

1. Create 100 (or fewer, if you change the constant for convenience) projects to Project A's outbound token scope.
2. Attempt to add another project to Project A's outbound token scope.

This manual test is the same structure as the unit test being added in this MR.

Screenshots

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.