fix(iam): add validation for OrganizationPrincipal IDs (#33968)

### Issue # (if applicable)

Closes #32756.

### Reason for this change

There's a security issue with the `OrganizationPrincipal` class in AWS CDK. When using `iam.OrganizationPrincipal` with an empty or invalid organization ID, it still grants access to AWS resources but without properly applying the organization condition. This creates a security risk because:

1. It grants permissions to AWS: "*" (any AWS principal)
2. The condition that should restrict access to a specific organization is not properly applied

A previous fix (PR #33555) was implemented but later reverted (PR #33773) because it broke compatibility with code using tokens for organization IDs.

### Description of changes

This PR adds token-aware validation to the `OrganizationPrincipal` constructor to ensure organization IDs match the required pattern (^o-[a-z0-9]{10,32}$) when they are literal strings, while maintaining compatibility with tokens.

Pattern defined here: https://docs.aws.amazon.com/organizations/latest/APIReference/API_Organization.html#API_Organization_Contents

Key changes:
- Added validation in OrganizationPrincipal constructor that only applies to literal strings (not tokens)
- Created comprehensive unit tests for the validation logic
- Updated existing tests to use valid organization IDs

The implementation uses `Token.isUnresolved()` to check if the organization ID is a token before applying validation, which addresses the regression that caused the previous fix to be reverted.

### Describe any new or updated permissions being added

No new IAM permissions are being added. This change only affects validation of organization IDs used in IAM policies.

### Description of how you validated changes

- Added a dedicated test file (organization-principal.test.ts) which covers various scenarios:
  - Valid organization IDs
  - Empty strings (rejected with error)
  - Invalid formats (rejected with error)
  - Token values (pass through without validation)
- Updated existing tests in function.test.ts, bucket.test.ts, and integration tests to use valid organization IDs
- Verified all unit tests pass in the affected modules
- Ran integration tests to ensure the changes work correctly in deployed resources

### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: scorbiere

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.role.js.snapshot/cdk.out

@@ -105,7 +105,7 @@
        "Action": "sts:AssumeRole",
        "Condition": {
         "StringEquals": {
-         "aws:PrincipalOrgID": "o-1234"
+         "aws:PrincipalOrgID": "o-12345abcde"
         }
        },
        "Effect": "Allow",