Thanks for the detailed reply. I’m developing some understanding of and appreciation for your points.
I see that the crucial point is that the access token is meant to carry authorization information, while the id token is not. However, applications may have their own authorization mechanisms that were built independently of an OAuth framework, and so have no need of the Oauth scopes and other attributes that could be inserted into the token. All they need is identity. I note your argument that sender constraints are meant to be used with access tokens not identity tokens, though this would not seem to be the case with the MTLS approach, which is entire independent of tokens. I don’t know enough about dpop.
Thanks again.