Simplify EndpointValidator handling of allowed suffixes

[alzimmermsft]

What does this PR do?

Cleans up the design of EndpointValidator to make suffix handling clearer and easier to extend in the future.

GitHub issue number?

[Link to the GitHub issue this PR addresses]

Pre-merge Checklist

• Required for All PRs
  • Read contribution guidelines
  • PR title clearly describes the change
  • Commit history is clean with descriptive messages (cleanup guide)
  • Added comprehensive tests for new/modified functionality
  • Created a changelog entry if the change falls among the following: new feature, bug fix, UI/UX update, breaking change, or updated dependencies. Follow the changelog entry guide
• For MCP tool changes:
  • One tool per PR: This PR adds or modifies only one MCP tool for faster review cycles
  • Updated servers/Azure.Mcp.Server/README.md and/or servers/Fabric.Mcp.Server/README.md documentation
  • Validate README.md changes running the script ./eng/scripts/Process-PackageReadMe.ps1. See Package README
  • For new or modified tool descriptions, ran ToolDescriptionEvaluator and obtained a score of 0.4 or more and a top 3 ranking for all related test prompts
  • For tools with new names, including new tools or renamed tools, update consolidated-tools.json
  • For renamed tools, follow the Tool Rename Checklist and tag the PR with the breaking-change label
  • For new tools associated with Azure services or publicly available tools/APIs/products, add URL to documentation in the PR description
• Extra steps for Azure MCP Server tool changes:
  • Updated command list in servers/Azure.Mcp.Server/docs/azmcp-commands.md
  • Ran ./eng/scripts/Update-AzCommandsMetadata.ps1 to update tool metadata in azmcp-commands.md (required for CI)
  • Updated test prompts in servers/Azure.Mcp.Server/docs/e2eTestPrompts.md
  • 👉 For Community (non-Microsoft team member) PRs:
    • Security review: Reviewed code for security vulnerabilities, malicious code, or suspicious activities before running tests (crypto mining, spam, data exfiltration, etc.)
    • Manual tests run: added comment /azp run mcp - pullrequest - live to run Live Test Pipeline

[jongio]

Two issues block this PR:

1. Subdomain matching broken

GetSuffixForEnvironment returns bare domains (azconfig.io) but the unchanged validation lambda checks suffix.StartsWith('.') for subdomain matching. Since the leading dot is gone, that branch never executes - every subdomain endpoint like myconfig.azconfig.io gets rejected. Only exact domain matches pass, which no real Azure service uses. This is almost certainly what's causing the 4 CI failures.

2. Error message regression

string.Join(", ", allowedSuffixes) now operates on IEnumerable<AllowedSuffixManager>, so it'll print the record's ToString() (all four cloud variants) instead of clean domain strings.

Suggested fix for both - resolve suffixes into a string array before the validation and error paths:

var resolvedSuffixes = allowedSuffixes
    .Select(s => $".{s.GetSuffixForEnvironment(armEnvironment)}")
    .ToArray();

var isValid = resolvedSuffixes.Any(suffix =>
{
    // existing lambda unchanged
});

// in error path:
$"Expected domains: {string.Join(\", \", resolvedSuffixes)}"

Minor: IEnumerable<AllowedSuffixManager> could be AllowedSuffixManager[] for better AOT clarity.

[Copilot]

Pull request overview

This PR refactors EndpointValidator’s Azure-service allowed-domain suffix handling to a more data-driven structure, aiming to make sovereign cloud suffix selection clearer and easier to extend.

Changes:

• Replaced per-call suffix dictionary construction with a static suffix map keyed by service type.
• Introduced an AllowedSuffixManager record to resolve suffixes based on ArmEnvironment.
• Updated validation logic to resolve environment-specific suffixes before performing host checks and error reporting.