Clarify RefNotPermitted and InvalidCertificateRef reasons in API Spec

[robscott]

As a follow up to #1297, @skriss suggested that we should clarify this behavior in the API docs.

• currently the RefNotPermitted reason only talks about routes and backends - this should be expanded to include listeners and secrets, or maybe remove references to specific resource types altogether
• we should clarify the scope of InvalidCertificateRef, exactly what an "invalid" certificate ref is, and that it excludes this case of a disallowed cross-namespace reference

[mlavacca]

/assign

[youngnick]

@mlavacca, would you mind holding off on this one until I get some more work done on #1364? I want to make sure that whatever fix we do here is aligned with what we do there.

[mlavacca]

@youngnick Sure, I'll wait for that one.

[robscott]

@youngnick now that the GEP for #1364 has merged can we unblock this one? I think the work there ended up not requiring any changes to the original plan here, but correct me if I'm wrong.

[youngnick]

Yes, thanks for the poke. This one is unblocked, please go ahead @mlavacca. I'll include any changes you make in my PR to implement #1364, which I'm still working on.