Reinstate the check on the 'ath' claim in dpop validation

[ylebre]

The current implementation allows the 'ath' claim to be missing. This is done for backwards compatibility with client libraries that do not have this claim in the token.

The 'ath' claim was not part of the original dpop specification draft (https://datatracker.ietf.org/doc/id/draft-ietf-oauth-dpop-01.html section 4.2), but is part of the current draft (https://datatracker.ietf.org/doc/id/draft-ietf-oauth-dpop-11.html at the time of this issue).

When client implementations have caught up with the ath claim, we should start checking for this claim again to align with the newer version of the draft specs.