As I interpret the specs ( https://openid.net/specs/openid-connect-core-1_0.html#RequestObject ) currently RPs aren't required to included aud in the request object:
The aud value SHOULD be or include the OP's Issuer Identifier URL.
ie. this 'should' needs to be a 'must' in FAPI I think.
I am also dubious about the "or" part. An exact match seems like a better idea to me.
I suspect we need to do a fuller check on any other fields that are mandatory in request objects.