Add `fail_on_changes` to toxgen

[sentrivana]

• if someone makes changes to tox.ini directly without having them reflected in tox.jinja or the script, CI should fail so that we don't end up having a desynced state
• regenerate tox.ini and compare hashes, see if there are differences between the committed and the generated tox.ini
  • this has to be a bit smarter and take into account when the script ran last -- it might happen that re-running the script introduces unrelated changes (because e.g. a new version of a framework was released in the meantime) and thus fails the check even if there were no changes made to tox.ini in the PR
  • save the timestamp of when tox.ini was last generated and committed, read this when regenerating for this check, and run the script ignoring any releases that came out after the timestamp