[Authority] identify the natural person in applies_to

When putting a natural person in applies_to, we should be able to uniquely identify the person with the sub value, or may even with iss and sub from other IDPs (given that client_id is shared).

Use case: A child has an account at IDP and their parent also has an account at the same IDP. The child wants to use a specific service of RP but needs consent from the parent. The child creates a pending account at the RP and sends request to the parent. The parent sends verified_claims to RP, expressing authority over the child identified with the sub value, so that the RP can exactly tell that the child has consent from the parent.