It's not a huge burden but does add some non-zero complexity to the
protocol as well as size to the proof. And in my mind anyway, doing so
would sort of beg the question as to having some similar treatment for
authz codes and refresh tokens. Which can, of course, also be done. But
adds more
I agree with having the DPoP proof cover the access token (unless there's some
burden on the clients doing so that I'm unaware of).
That would also limit the ability to pre-compute DPoP proofs with future
timestamps (I sent an email to the list about this on 1 April) if an attacker
can perform
