Problem

When a subscription has an Azure Policy that denies resources with local authentication enabled (e.g., disableLocalAuth must be true), azd provision fails at deploy time with a cryptic RequestDisallowedByPolicy error:

Deployment Error Details:
InvalidTemplateDeployment: The template deployment failed because of policy violation.
RequestDisallowedByPolicy: Resource 'stdagcewyyviu73h' was disallowed by policy.
Reasons: 'This request was denied due to internal policy. Local authentication methods
are not allowed.'

Users get no prior warning before the (often long) deployment attempt.

Proposal

Add a local preflight check that:

1. Lists Azure Policy assignments on the target subscription
2. Fetches policy definitions and inspects policyRule for disableLocalAuth-related deny conditions
3. Cross-references the target resource types against the Bicep snapshot resources
4. Reports a warning if any template resource has disableLocalAuth: false or missing while a deny policy requires it

This fits naturally into the existing preflight infrastructure (local_preflight.go + PreflightCheckFn).

Scope

• New PolicyService in pkg/azapi/ using the armpolicy Azure SDK
• Lightweight parser for policy rule conditions (focused on disableLocalAuth field patterns)
• New preflight check function registered in bicep_provider.go
• Warning-level only (not blocking) since we cannot evaluate exemptions or complex conditions

Limitations (acceptable for a warning)

• Cannot evaluate complex nested policy conditions (tags, locations, etc.)
• Cannot check policy exemptions
• Parameterized effects need resolution from assignment parameters
• Policy initiatives (sets) need an extra level of resolution