Verify the claims from JWT submitted by clients in auth

[sandhose]

It seems like we're not validating anything form the JWTs sent for client auth. What should be checked is defined in RFC7523: https://www.rfc-editor.org/rfc/rfc7523#section-3

[matrixbot]

For your information, this issue has been copied over to the Element fork of matrix-authentication-service: https://github.com/element-hq/matrix-authentication-service/issues/907