Add language on x5c protection

[awoie]

To mitigate attacks described in the X.509 IETF RFC here, we should add something like the following language:

If x5c is the in unprotected header or was received out-of-band, the verifier MUST check the x5t protected header.

Note that COSE has this language built in, but JOSE leaves that open.

[bc-pi]

Noting that the current text requires using x5c and says nothing about protected vs. unprotected

https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-04.html#name-issuer-signed-jwt-verificat