Fix: Populate Claims from STS session RequestContext for policy variable substitution (#8082)

* Fix: Populate Claims from STS session RequestContext for policy variable substitution

When using STS temporary credentials (from AssumeRoleWithWebIdentity) with
AWS Signature V4 authentication, JWT claims like preferred_username were
not available for bucket policy variable substitution (e.g., ${jwt:preferred_username}).

Root Cause:
- STS session tokens store user claims in the req_ctx field (added in PR #8079)
- validateSTSSessionToken() created Identity but didn't populate Claims field
- authorizeWithIAM() created IAMIdentity but didn't copy Claims
- Policy engine couldn't resolve ${jwt:*} variables without claims

Changes:
1. auth_signature_v4.go: Extract claims from sessionInfo.RequestContext
   and populate Identity.Claims in validateSTSSessionToken()
2. auth_credentials.go: Copy Claims when creating IAMIdentity in
   authorizeWithIAM()
3. auth_sts_identity_test.go: Add TestSTSIdentityClaimsPopulation to
   verify claims are properly populated from RequestContext

This enables bucket policies with JWT claim variables to work correctly
with STS temporary credentials obtained via AssumeRoleWithWebIdentity.

Fixes #8037

* Refactor: Idiomatic map population for STS claims

weed/s3api/auth_credentials.go

@@ -1408,6 +1408,7 @@ func (iam *IdentityAccessManagement) authorizeWithIAM(r *http.Request, identity
 		Name:        identity.Name,
 		Account:     identity.Account,
 		PolicyNames: identity.PolicyNames,
+		Claims:      identity.Claims, // Copy claims for policy variable substitution
 	}
 
 	// Determine authorization path and configure identity