§5.2.3,#1 requires public clients to use "request" or "request_uri"
How is the client supposed to sign the request object?
Good point. It needs more text around it. The premise is that to have the request object signed by the underlying TLS library using the key established for the Token Binding. Perhaps @ve7jtb can chime in and fill the void.