Allow to pin policies by digest

when reference a policy, it would be useful to pin them by hash, just to ensure that the policy version at schema creation time is the one used at evaluation time. 
```
schemaVersion: "v1"
policies:
  attestation:
    - ref: testdata/policies/policy_rego.yaml@sha256:fcae9e0e7313c6467a7c6632ebb5e5fab99bd39bd5eb6ee34a211353e647827a
```
