Rework Section 3.2.1: proof of private key possession

[aarongable]

The current text is:

Applicants are required to prove possession of the Private Key corresponding to the Public Key in a Certificate request by signing the CSR provided to the Finalize method of the ACME Protocol defined in RFC 8555, Section 7.4.

The procedure here (submitting a CSR with a valid signature to the Finalize endpoint) is correct, and should stay. However, this procedure does not prove possession of the corresponding private key: CSRs are public information and the applicant may have downloaded the CSR from someone's github repo.

We should update the text to indicate that this procedure must be followed but that it does not prove possession of the private key.