When we added AllowElevated and checked it was working correctly, we
got it slightly wrong. When a container is started, we were adding in
expected mounts that only happen for privileged containers and
using those are mounts that are allowed.

During testing, if AllowElevated was left off, a privileged container
would fail to start seemingly indicating that all was good. However,
all was not good.

A malicious orchestrator with control of the API could create a container
privileged that didn't contain any extra "privileged mounts" and the
container would start as privileged with everything else that being
privileged entails except for the mounts.

This commit adds an explicit check as part of crete container to verify
that is the container is attempting to be started as privileged that it
has AllowElevated.

Maksim and I both thought that this had been implemented. I remember it
being implemented. Apparently that memory is incorrect. Either way, it
was noticed last Thursday and here's the fix.

Signed-off-by: Sean T. Allen <seanallen@microsoft.com>

Signed-off-by: Maksim An <maksiman@microsoft.com>