Your observation is correct, however the sub syntax / pattern isn’t documented in the public docs as far as I can tell.
Side note: I mentioned this pattern before in this post, where there was a question how to be able to differentiate between tokens issued via Client Credentials Grant and else.