For public clients during the `refresh_token` grant flow, the DPoP Proof `PublicKey` must be the same as the access token `PublicKey` binding. Related gh-1813
