…pod events

PR containerd#12491 fixed credential leaks in containerd logs but the gRPC error
returned to kubelet still contained sensitive information. This was
visible in Kubernetes pod events via `kubectl describe pod`.

The issue was that SanitizeError was called inside the defer block,
but errgrpc.ToGRPC(err) was evaluated before the defer ran, so the
gRPC message contained the original unsanitized error.

Move SanitizeError before the return statement so both the logged
error and the gRPC error are sanitized.

Ref: containerd#5453
Signed-off-by: Aadhar Agarwal <[email protected]>