[8.6.0] Only use workspace facts for validation with --lockfile_mode=error (h… (#28766)

…ttps://github.com/bazelbuild/bazel/pull/28718)

When validating the facts in a lockfile with `--lockfile_mode=error`,
only use the user-visible lockfile, not the hidden output root lockfile
Fixes #28717

No

- [X] I have added tests for the new use cases (if any).
- [ ] I have updated the documentation (if applicable).

RELNOTES: Fix --lockfile_mode=error validation when rolling back changes
to module extension facts

Closes #28718.

PiperOrigin-RevId: 874282163
Change-Id: I1479dcd6b756dc9d8b01183c4bfe15dd8700aeba

<!--
Thank you for contributing to Bazel!
Please read the contribution guidelines:
https://bazel.build/contribute.html
-->

### Description
<!--
Please provide a brief summary of the changes in this PR.
-->

### Motivation
<!--
Why is this change important? Does it fix a specific bug or add a new
feature?
If this PR fixes an existing issue, please link it here (e.g. "Fixes
#1234").
-->

### Build API Changes
<!--
Does this PR affect the Build API? (e.g. Starlark API, providers,
command-line flags, native rules)
If yes, please answer the following:
1. Has this been discussed in a design doc or issue? (Please link it)
2. Is the change backward compatible?
3. If it's a breaking change, what is the migration plan?
-->

No

### Checklist

- [ ] I have added tests for the new use cases (if any).
- [ ] I have updated the documentation (if applicable).

### Release Notes

<!--
If this is a new feature, please add 'RELNOTES[NEW]: <description>'
here.
If this is a breaking change, please add 'RELNOTES[INC]: <reason>' here.
If this change should be mentioned in release notes, please add
'RELNOTES: <reason>' here.
-->

RELNOTES: None

Commit
https://github.com/bazelbuild/bazel/commit/ce5f8ba8a7d3741c2e2fd3fe9a8b8aaa25de4ef6

Co-authored-by: Ted Kaplan <tkaplan@roku.com>