Harden VPCe Policies for AppStream environments

[kpark277]

Issue #, if available:

Description of changes:

• App Stream environments will have VPC endpoints for STS and KMS that are limited to only BYOB resources from onboarded BYOB studies
• App Stream S3 VPCe no longer allows writing out to buckets outside of main account

Checklist:

• Have you successfully deployed to an AWS account with your changes?
• Have you written new tests for your core changes, as applicable?
• Have you successfully tested with your changes locally?
• If new dependencies have been added, have they been pinned to specific versions?
• Is this change also required on the AWS Solution version?
• Have you updated openapi.yaml if you made updates to API definition (including add, delete or update parameter and request data schema)?
• If you had to run manual tests, have you considered automating those tests by adding them to end-to-end tests?
• If you are updating the changelog and vending out a new release, have you updated versionNumber and versionDate in .defaults.yml

AS review ticket id:

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.