[cli] drive the AF_XDP node path through the vtep.Datapath seam (APO-795)

[dilyevsky]

Closes the last open APO-795 sub-item: repoint cli/main.go onto the
vtep.Datapath seam.

The seam, the afxdp wrapper, and the netstack/tun drivers all landed in
#3. But the node path still constructed forwarder.NewForwarder(...) and called
forwarder.Start directly, so the per-node / tunnelproxy VTEP was the one
consumer bypassing the seam every other driver runs behind.

Change

Build the forwarder exactly as before (as afxdp.Wrap documents), then wrap it
and drive dp.Run(gctx) instead of fwd.Start(gctx):

dp := afxdp.Wrap(fwd)
...
g.Go(func() error {
    if err := dp.Run(gctx); err != nil && !errors.Is(err, context.Canceled) {
        return fmt.Errorf("datapath: %w", err)
    }
    return nil
})

Why this stays byte-identical

afxdp.Datapath is a pure lifecycle adapter -- Run delegates straight to
forwarder.Start (which self-closes via closeOnce on return) and Close to
the idempotent forwarder.Close. The in-place, shared-UMEM hot loop,
processFrames, and minInPlaceHeadroom live entirely inside forwarder and
are not touched. Run returns Start's error verbatim, so the
errors.Is(context.Canceled) shutdown handling is unchanged. The
forwarder_rxheadroom_test + cp_wire_test guards continue to hold the
byte-identical contract.

Verification

• GOOS=linux GOARCH={arm64,amd64} go build of the cli (mirrors the build-cli
  job) -- green.
• go vet of both modules for linux, and go build ./... for the root module -- green.
• Linux-only guard test binaries (forwarder, root icx) compile against this tree.
• OS-agnostic seam/engine guards pass on the dev host: TestInPlaceRoundTrip,
  TestControlPlanePerDirectionGeneveRoundTrip, and the vtep/netstack
Datapath round-trip tests. The live AF_XDP path needs a real kernel +
  NET_ADMIN, so the kernel-level guards run in CI.

[linear-code]

APO-795