spec: reorder Stripe verification procedure to validate challenge before extracting SPT (#210)

Author: brendanjryan

specs/methods/stripe/draft-stripe-charge-00.md

@@ -233,12 +233,16 @@ contains the following fields:
 
 Servers MUST verify Payment credentials for charge intent:
 
-1. Extract the `spt` from the credential payload
-2. Verify the challenge ID matches the one issued
-3. Verify the challenge has not expired
+1. Verify the challenge ID matches the one issued
+2. Verify the challenge has not expired
+3. Extract the `spt` from the credential payload
 4. Verify the SPT has not been previously used (replay protection)
 5. Validate the SPT exists and is valid via Stripe API (optional pre-check)
 
+Servers MUST complete challenge ID validation and expiry checks (steps 1-2)
+before processing credential material (steps 3-5). This ensures basic
+request validity is established before accessing payment tokens.
+
 ## Challenge Binding
 
 Servers MUST verify that the credential corresponds to the exact challenge