fix(iam): cannot grant lambda:InvokeFunction on ManagedPolicy or Policy via grantInvoke() method (#32984)

### Issue # (if applicable)

Closes #32980.

### Reason for this change

`lambda.Function.grantInvoke()` throws an error when a `ManagedPolicy` or a `Policy` is passed.
It should add a policy statement to grant `lambda:InvokeFunction` on the policy document.

### Description of changes

#### Core changes in `(Managed)PolicyGrantPrincipal` internal classes
Since `grantInvoke()` wants `policyFragment.conditions`, `policyFragment` now returns a `PolicyFragment` object with the principal ARN refers a token.
When the grantPrincipal is used as a resource policy, the token will cause a resolution error.

#### Additional changes
see also [rix0rrr's comment](#32984 (review))
- `assumeRoleAction` now throws an error instead of `'sts:AssumeRole'`.
- Updated the error message.

### Describe any new or updated permissions being added

N/A

### Description of how you validated changes

- Added/updated tests to verify `grantInvoke()` works.
- Updated unit tests to verify `app.synth()` throws instead of `Grant.addTo...()`.
- Some `class DummyResource implements IResourceWithPolicy` are replaced by S3 bucket to ensure to create a resource policy (S3 bucket policy).

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: Tietew

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/ManagedPolicyIntegDefaultTestDeployAssert27007DC6.assets.json

@@ -44,6 +44,32 @@
          "Arn"
         ]
        }
+      },
+      {
+       "Action": "lambda:InvokeFunction",
+       "Effect": "Allow",
+       "Resource": [
+        {
+         "Fn::GetAtt": [
+          "Function76856677",
+          "Arn"
+         ]
+        },
+        {
+         "Fn::Join": [
+          "",
+          [
+           {
+            "Fn::GetAtt": [
+             "Function76856677",
+             "Arn"
+            ]
+           },
+           ":*"
+          ]
+         ]
+        }
+       ]
       }
      ],
      "Version": "2012-10-17"
@@ -118,6 +144,75 @@
      "Version": "2012-10-17"
     }
    }
+  },
+  "FunctionServiceRole675BB04A": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "Function76856677": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "ZipFile": "export const handler = async () => null"
+    },
+    "Handler": "index.handler",
+    "Role": {
+     "Fn::GetAtt": [
+      "FunctionServiceRole675BB04A",
+      "Arn"
+     ]
+    },
+    "Runtime": "nodejs22.x"
+   },
+   "DependsOn": [
+    "FunctionServiceRole675BB04A"
+   ]
+  },
+  "FunctionLogGroup55B80E27": {
+   "Type": "AWS::Logs::LogGroup",
+   "Properties": {
+    "LogGroupName": {
+     "Fn::Join": [
+      "",
+      [
+       "/aws/lambda/",
+       {
+        "Ref": "Function76856677"
+       }
+      ]
+     ]
+    },
+    "RetentionInDays": 731
+   },
+   "UpdateReplacePolicy": "Retain",
+   "DeletionPolicy": "Retain"
   }
  },
  "Parameters": {