The text in https://bitbucket.org/openid/ekyc-ida/pull-requests/50 explicitly mentions bearer tokens when talking about access tokens.
We should at least make clear that when using the OP’s access token then sender constrained tokens (MTLS, DPoP) can be used.
When not using the OP’s access token (i.e. an access token is provided for the particular resource) it’s not clear if the token can be sender constrained.
An additional consideration is that the protocol doesn’t define a way to prevent the client from supplying an access token to the resource, potentially meaning an unnecessary access token is sent out and presents an unnecessary vector for the token to be leaked.