Draft: restrict allowed variable names.

As inspired by @ben.boeckel's comment on !6474 (merged), this MR implements a new policy (numbered CMP0127) which restricts variable names according to the following rules.

1. If the name contains whitespace, a semicolon (;), an equals sign (=), or forms a valid number, it is rejected.
2. If the name begins with an underscore (_) or letter, it is accepted.
3. Otherwise, the name must contain only alphanumeric characters plus the following: _/.+- (i.e. the characters allowed in literal variable references by :policy:CMP0053).

It was easy to implement, so I thought I'd open this MR as a venue for discussion. Currently, the existing tests are working (PkgConfig had to be fixed to strip whitespace from its dynamic variable names), but I have not written any new tests (to save time in case this whole idea is rejected outright).

As it happens, this policy would also fix #21747, which concerns bad behavior when creating cache entries with = in the name.