Service credentials are not updated on reinvocation after another admission plugin modified the service account

[masinger]

Describe the bug
When processing an admission request, that has been processed previously, the environment variables assigned during the first invocation are kept.

Failing to do so might result in a situation where the wrong credentials are projected into the container, if another admission plugin modifies the serviceAccountName.

Steps To Reproduce

• Configure another mutating admission webhook (e.g. a Kyverno policy) that
  • is invoked after the aks-webhook-admission-controller
  • sets the .spec.serviceAccountName to unprivilged-account
• Create a Pod that
  • uses Azure Workload Identities
  • has its serviceAccountName set to admin-account
• Observe that the resulting container is assigned to the service account unprivileged-account (as per policy) while still possessing the admin-account's credentials (e.g CLIENT_ID and CLIENT_SECRET).

Expected behavior
The mutation webhook should update the SDK environment variables (e.g. CLIENT_ID, CLIENT_SECRET) whenever reinvoked.

Environment

• Kubernetes version (use kubectl version): 1.28.3
• Cloud provider or hardware configuration: Azure AKS
• OS (e.g: cat /etc/os-release): Ubuntu

Additional context
The reinvocation has originally been added by #794.