OK, got it working. Thanks!
For anyone watching at home, once you’ve got the object allocated, the code in the Rule to store it looks like this
context.idToken[‘https://mydomain.com/user-account’] = user.app_metadata.userAccount;
When my SDK API code reads the user object, as usual, no extra work required, the user object contains a property whose name is the same as the key used to access the idToken object in the line above.
var foo = user[‘https://mydomain.com/user-account’]
reads the object in the client code.
The Rule editor complains that I should use dot notation rather than a string key, but I wasn’t able to get that to work.