FetchContent: Add strict mode requiring URL_HASH to be set and GIT_TAG to be a commit sha
In package managers it would be useful if FetchContent could be made to error whenever the CMake script tries to pull in an external project by branch or tag instead of commit sha. Same for URLs without a provided url_hash. That way we can be reasonably sure that the external project that gets pulled in is actually what the developer intended, and guards against compromised repositories or download servers.