extract virtual operation access check subroutine
    
    Outside of virtual commands themselves there is no way to evaluate
    access to perform a virtual operation.  Such a capability will be
    needed for Dogtag-based certificate request validation using
    Kerberos proxy credentials.
    
    Add the 'check_operation_access' method for explicit virtual
    operation access checks.  Refactor 'VirtualCommand.check_access()'
    to use it.
    
    Part of: https://pagure.io/freeipa/issue/5011
    Part of: https://pagure.io/freeipa/issue/6423
    
    Reviewed-By: Christian Heimes <cheimes@redhat.com>