better aligns with standard OAuth2, in which audience is generally the URL a request/token is sent to.
a DID document might have multiple authorization servers associated with it, URL scopes the VP to a specific AS, rather than any of the DID.
it also works if the AS (verifier) does not have a DID.
it simplifies the Nuts node API: just 1 argument to pass (authorization server URL) instead of 2 (authz server URL AND auth server DID); less things that can go wrong and less complexity.
RFC021 states the following for the VP that is sent by the client to the AS for authentication:
I propose changing this to the authorization server URL a.k.a. issuer URL (https://datatracker.ietf.org/doc/html/rfc8414#section-2). This would give the following advantages: