Add verified host-matching caveat for public registry endpoints

Tested end-to-end on live AIO cluster: host field must include full
OCI namespace path (e.g. ghcr.io/azure-samples/explore-iot-operations),
not just the registry domain. Added IMPORTANT callout explaining the
prefix matching behavior and the error message when misconfigured.

Author: jlian

articles/iot-operations/develop-edge-apps/howto-configure-registry-endpoint.md

@@ -349,6 +349,9 @@ spec:
 
 After you create this registry endpoint, you can reference it in your data flow graph as `registryEndpointRef: public-ghcr`. No ORAS pull/push steps are needed because the runtime pulls the artifacts directly from the public registry.
 
+> [!IMPORTANT]
+> The `host` field must include the full path prefix that matches your artifact references. For example, if your artifacts are at `ghcr.io/azure-samples/explore-iot-operations/temperature:1.0.0`, set `host` to `ghcr.io/azure-samples/explore-iot-operations` (not just `ghcr.io`). The runtime matches the host as a prefix against the artifact reference. If the host doesn't match, you see "No valid registry endpoint configuration found" in the WASM graph controller logs.
+
 > [!NOTE]
 > Public registries don't require authentication, but they may have rate limits. For production workloads, consider using a private registry like Azure Container Registry.