Confidential clients must support specific authentication methods to AS token endpoint

Clients and AS should support both MTLS and private_key_jwt to afford the option, but must support one or the other:

iGov current:

[2.3.2] Full clients, native clients with dynamically registered keys, and direct access clients as defined above MUST authenticate to the authorization server's token endpoint using a JWT assertion as defined by the JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants using only the private_key_jwt method defined in OpenID Connect Core. The JWT assertion MUST be signed by the client using the client's private key.

FAPI2:

[5.3.1.1] #6 The AS shall authenticate clients using one of the following methods:
• MTLS as specified in section 2 of [RFC8705]
• private_key_jwt

Suggested statement to drive support:

[2.2.3] Confidential clients MUST support authentication to the authorization server's token endpoint using MTLS or private_key_jwt, and SHOULD support both MTLS and provate_key_jwt.