Make vision permissions consistent

[jruales]

Currently we have inconsistent permissions. In the case where an endpoint supports Vision but the organization preview features disabled, image attachments will not work (because of the preview features disabled) but View Image Tool permissions will succeed because it doesn't check for preview features. This PR makes the two consistent by also checking for preview features for scenarios like the View Image Tool.

Here are some screenshots that show the different behaviors:

And a video from where the screenshots were taken:

agent-screenshot-inconsistency.2.mp4

[Copilot]

Pull request overview

Updates panel prompt rendering so that image handling during tool-result rendering respects both model vision capability and organizational policy for preview features, aligning behavior with other image-related prompt components.

Changes:

• Gate tool-result image rendering on endpoint.supportsVision and copilotToken.isEditorPreviewFeaturesEnabled().
• Return a consistent placeholder string when tool-result images are unavailable due to model capability or org policy.

[Copilot]

This adds the org-policy gate (copilotToken.isEditorPreviewFeaturesEnabled()) for tool-result images, but other image paths in panel prompts (e.g. FileVariable attaches @vscode/prompt-tsx Image directly) don’t apply this check, so images may still be sent even when preview features are disabled. Consider applying the same permission check everywhere images can enter the prompt (or centralizing the decision) to avoid policy bypass/inconsistent behavior.

[Copilot]

There’s no unit coverage for PrimitiveToolResult.onImage() behavior when vision is blocked by org policy (isEditorPreviewFeaturesEnabled() === false). Since this changes prompt output, add a focused test that renders a tool result containing an image LanguageModelDataPart and asserts the placeholder string is produced when preview features are disabled (and that image rendering still occurs when enabled).