Make distinction between `nativeBuildInputs` and `buildInputs` for SBOMs

[arianvp]

runtime SBOMs miss dependencies that are statically linked.

build time SBOMs are very large as they contain the entire bootstrap chain of all tools used in the build.

If we'd differentiate between nativeBuildInputs and buildInputs we could kind of have a middle-ground where we can list dependencies that are likely to end up being part of the final artifact without including all the build-time tooling in the SBOM