Ensure createWithValidatedTenancyScope only builds the $tenant field when VTS is populated from $tenant, since it is invalid to have tenantIds come from both $tenant and the security token.  This was lost when we started passing serialization context into createWithValidatedTenancyScope and create, but this condition should still hold whether or not a valid serialization context is passed in.