I think there’s an odd interaction with JARM and the FAPI-R spec which doesn’t entirely make sense to me. When you’re using FAPI-R+openid+jarm, FAPI-R requires that clients send nonce. However nonce isn’t part of the JARM response, so there’s actually nothing binding the JARM response to the client session .
FAPI-RW also specifically excludes this situation from requiring support/use of PKCE. https://openid.net/specs/openid-financial-api-part-2-wd-05.html#authorization-server :
shall require [RFC7636] with S256 as the code challenge method for public clients only, if it supports public clients;
(that clause is somewhat odd anyway as FAPI-RW no longer allows public clients)