Fix PrivateKeyStatus ordering and make unsupported flag volatile

Access MlDsaPrivateKey before checking _mlDsaPrivateKeyUnsupported so
the flag is set during initialization. Previously, first access would
return DoesNotExist instead of Unknown on unsupported platforms.
Make _mlDsaPrivateKeyUnsupported volatile for correct cross-thread
visibility, consistent with the other initialization flags.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: iNinja

src/Microsoft.IdentityModel.Tokens/X509SecurityKey.cs

@@ -37,7 +37,7 @@ public class X509SecurityKey : AsymmetricSecurityKey
         bool _isMlDsa;
         volatile bool _mlDsaPrivateKeyInitialized;
         volatile bool _mlDsaPublicKeyInitialized;
-        bool _mlDsaPrivateKeyUnsupported;
+        volatile bool _mlDsaPrivateKeyUnsupported;
 #if NET9_0_OR_GREATER
         Lock _thisLock = new();
 #else
@@ -282,10 +282,12 @@ public override PrivateKeyStatus PrivateKeyStatus
                     // DoesNotExist, so Unknown will pass the constructor guard. However, the adapter
                     // will fail with a clear InvalidOperationException (IDX10723) when it attempts
                     // to access the null MlDsaPrivateKey during signing initialization.
+                    MLDsa mlDsaPrivateKey = MlDsaPrivateKey;
+
                     if (_mlDsaPrivateKeyUnsupported)
                         return PrivateKeyStatus.Unknown;
 
-                    return MlDsaPrivateKey != null ? PrivateKeyStatus.Exists : PrivateKeyStatus.DoesNotExist;
+                    return mlDsaPrivateKey != null ? PrivateKeyStatus.Exists : PrivateKeyStatus.DoesNotExist;
                 }
 
                 return PrivateKey == null ? PrivateKeyStatus.DoesNotExist : PrivateKeyStatus.Exists;