Check CRL revocation reasons

[mcpherrinm]

Inspired by https://bugzilla.mozilla.org/show_bug.cgi?id=1931886

We should have end-to-end monitoring that the reason code we use when revoking in the churner is what appears in the CRL.

We can also check in the CRL diff that revocation reasons don't change, except upgrading to keyCompromise https://github.com/letsencrypt/boulder/blob/2678e688060e91af545cb6055cdb22c156e087cb/ra/ra.go#L2044C1-L2071C2