Direct workload identity federation does not require service account impersonation in order to exchange an access token. Commit 7219e27 adds support for direct access token exchange.
When given file-sourced credentials, they may be in either text (default) or json format. When the json format is used, a subject_token_name_field must be present. Commit 2a30438 adds support for json credential sources as well as missing (default) format.