/kind feature

Describe the solution you'd like
EKS managed nodegroups that were created outside of CAPA, e.g., via CloudFormation or similar, end up with AWS-reserved aws:-prefixed tags on the nodegroup resource. The CAPA validating webhooks correctly forbid users from setting those tag keys in AWSManagedControlPlane.spec.additionalTags (and in AWSManagedMachinePool.spec.additionalTags for cluster-scoped tags), so they cannot appear in CAPA's desired tag map.

During nodegroup reconciliation, CAPA detects a drift between EKS nodegroup tags and desired tags, and attempts to call eks:UntagResource containing the reserved tags. This API call fails since AWS system tags cannot be added or removed, leading to failed reconciliation.

While first-class support for adopting arbitrary pre-existing nodegroups into CAPA is not documented, if nodegroup reconciliation skips aws:-prefixed tags in its tag diffing logic, externally-created nodegroups with such tags can be successfully adopted into CAPA. This will also align tag removal with the same reserved-key rules as tag application, similar to how tags.WithEC2 and tags.WithEKS work today.

Anything else you would like to add:
Nodegroup reconciliation also results in reconciling tags on the backing ASG resource, but the aforementioned logic is not required since EKS does not usually add aws:-prefixed tags to ASGs.

Environment:

• Cluster-api-provider-aws version: v2.10.2
• Kubernetes version: (use kubectl version): v1.34.4-eks-f69f56f
• OS (e.g. from /etc/os-release): N/A