[confcom] Replace `--diff` with separate `policy diff` command

The fact this functionality is a flag in a policy generation tool has created complexity leading to bugs such as the two separate issues fixed by #9258. We should make this a separate tool so it can't break policy generation.

The new tool should also fully compare all parts of the two policies, the current tool only compares container definitions