`_is_valid_dist_file` doesn't discern where a `PKG-INFO`/`WHEEL` file is in the archive

[di]

Noticed in #16703 that _is_valid_dist_file currently checks for PKG-INFO or WHEEL files to be present in a sdist or wheel, but doesn't validate where they are in the archive, so putting any file with a matching name anywhere in the archive will allow it to pass.

Our tests currently place these at the root of the archive, but they should actually be within a specific top-level directory for both file types, and validation should fail if they exist but aren't in that directory.