The following bullet in the referenced section is problematic:
The client presenting the access token has to provide proof of possession to the Access token and the identity of the client to the resource server
The client does not provide proof of possession "to the Access token". It either provides proof of possession of the Access token, or it provides proof of possession, using the Access Token, to the Provider API server.
Summary
The following bullet in the referenced section is problematic:
The client does not provide proof of possession "to the Access token". It either provides proof of possession of the Access token, or it provides proof of possession, using the Access Token, to the Provider API server.
Please rewrite to clarify.
Link to standards item
https://apistandards.digital.health.nz/api-security/TokenProtectionandClientAuthentication#token-protection
Which area of the standards does this apply to?