If I’ve followed things correctly, the token defined in https://openid.net/specs/openid-connect-user-questioning-api-1_0-11.html#rfc.section.2 is almost a valid id_token - the only difference I spotted vs https://openid.net/specs/openid-connect-core-1_0.html#IDToken is that it doesn’t include an
exp and perhaps
nonce - all of which are technically optional to check in https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
(It does contain a number of claims that are unique to the user statement token, but OIDC clients are required to ignore unknown claims in an id_token so that potentially wouldn’t prevent something accepting a user statement token as an id_token.)
That might be worthy of a security consideration (people may accidentally or deliberately include iat/exp), but as per https://tools.ietf.org/html/rfc8725#section-3.11 it may be worth considering adding a
typ header to help avoid any future confusion.