Introduce a TDX and SNP verify subcommand

[alexmwu]

trafficstars

In https://github.com/google/go-tpm-tools/pull/523 we remove the abillity for the verify debug command to verify a TPM attestation and TDX/SNP attestation at the same time. This is desirable since the verification result is a weak one, with not crypto binding. However, we should still allow for people to use the gotpm CLI to verify SNP and TDX attestations individually, since that is our recommended entrypoint for customers.