Security considerations: Clarify audience values treatment in DC API

[jogu]

From draft Stuttgart security analysis:

Section 14.1.2 and DC API: [OID4VP draft 24, Section 14.1] should be updated to incorporate OID4VP
over the DC API. Paragraph 3, for example, says that the audience value must be the client ID but
in this case the audience value is always the origin asserted by the DC API.

(I think there was some discussion already about splitting out security considerations for DC API & non-DC API cases... if anyone has the issue handy please add it!)

[jogu]

https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html#appendix-A.5 now explicitly says:

A.5. Security Considerations

The following security considerations from OpenID4VP apply:

Preventing Replay of Verifiable Presentations as described in Section 14.1, with the difference that the origin is used instead of the Client Identifier to bind the response to the Client.

I believe this solved the issue.