verify that requests objects are not usable as private_key_jwt client authentication

As per https://github.com/oauthstuff/draft-oauth-par/issues/41#issuecomment-617856097 we should probably try using a valid request object as a client assertion, and ensure the server rejects it. (To spell it out: it would be bad if a server accepted it, as it's very easy for an attacker to obtain a valid request object in FAPI R/W as they are normally passed via the browser, and hence it would allow the attacker to access the token endpoint.)

This would involve creating a 100% valid client assertion and removing the 'sub' claim from it, as https://tools.ietf.org/html/rfc7523#section-3 requires the sub claim to be present.

Related to #784 (closed) that checks a related possibility for the client.