The spec currently isn't clear how a client should meet proof-of-possesion requirements such as DPOP for an ID-JAG for Resource App's Authorization Server token request or the issued token from a Resource App's Authorization Server for a Resource App's Resource Server

OAuth Identity and Authorization Chaining Across Domains has a section on Delegated Key Binding

ID Assertions currently don't support proof-of-possesion although some folks have found workarounds

Since actor_token is not used by this profile, we currently don't flow any cnf claims into the ID-JAG.

• Should the client just send a DPoP proof JWT in a DPoP header when making an access token request to the Resource App's Authorization Server?
  • A client is currently free to use a different key with each Resource App Authorization Server as there is not binding back to the ID-JAG
• Should we also support a DPoP proof with ID-JAG?
  • A client can pass the proof on the token exchange request and we could flow to the ID-JAG and the Resource App Authorization Server could verify the proof.

I think it should be possible to bind a ID-JAG to a key