Service accounts can be added to LDAP-synced groups

See [425947](https://gitlab.com/gitlab-org/gitlab/-/issues/425947) for
details.

Allows adding service account users to groups even when LDAP sync is
enabled. To do this, we make some major changes:

- Add a new permission: `admin_service_account_members` ; this way we
  can check for group admin permissions even when those have been
  mostly disabled by setting the group to LDAP syncing
- Switch which permission we check in the service layer when creating
  new `Member` objects for groups <-> service account users
- Remove multiple layers of duplicative permission checking from the API
  and upper-level services

The new permission is only valid when the `service_accounts` licensed
feature is enabled.

Added some additional error handling to ensure there are no changes in
the API status codes or object returns.

Changelog: changed
EE: true