At the moment the raw authorization ID is compared against the current authenticated principal, however we need to be comparing the result of name rewriting as applied to the authorization ID as this is the identity we will try and run as.