Signature digest for CSR should be based on signature algorithm

[haydentherapper]

Description

Currently, the signature digest algorithm for CSRs is hardcoded to SHA-256. This introduces challenges for clients that support ECDSA-P384 or -P521 where the digest algorithms are SHA-384/512 respectively, since most signing libraries will automatically select the digest based on the signature algorithm.

In Fulcio v2, we should remove this hardcoded digest algorithm and select the digest based on the signature algorithm. This would be a breaking change to do this now in Fulcio v1, since clients may already handle this for non-SHA256 signature algorithms.

Discussion in #1938 (comment)