EncryptedExtensions trust anchor list should be filtered by connection properties

[davidben]

The original intent was that the server's EncryptedExtensions list would still be filtered by trust anchors that were suitable for the connection (e.g. sigalgs) and there's even text alluding to this here:

https://tlswg.org/tls-trust-anchor-ids/draft-ietf-tls-trust-anchor-ids.html#section-8.2-2:~:text=If%2C%20for%20example%2C%20a%20server%20uses%20the%20server_name%20extension%20to%20select%20services%2C%20the%20addition%20to%20EncryptedExtensions%20in%20Section%204.3%20is%20expected%20to%20be%20filtered%20by%20server_name.

But I don't see it in Section 4, so I think we may have forgotten to write that. Filtering the server list helps avoid mishaps on the retry.