@aaronpk so is the authorization server supposed to validate a client certificate before handing out the access token or is that up to the resource server or does the access token get returned encrypted with the bound public key?