3scale backend authorizes the application before sending it upstream. And you are using a Client that is supposed to have access to 3scale regardless of what authentication flow you use. You want to further restrict it and reject that access in some cases. To make that happen we would:

• Remove checking aud for the app_id
• Make azp claim configurable (where we expect the app_id), so we can be compatible with other IDPs.
• Introduce a policy for arbitrary JWT claim verification. You'll be able to require whatever aud claim you want (and even use liquid like in the other policies)