CreateSession: client certificate shall be verified to be the same as secure channel
Client certificate provided in CreateSession is ignored by server and shall be verified.
The specification 1.05 part 4 table 15 clarifies the mandatory aspect of the verification (it was not the case in 1.03/1.04):
If the securityPolicyUri is None, the Server shall ignore the ApplicationInstanceCertificate. For SecureChannels that use the Application Instance Certificate the Server shall verify that this Certificate is the same as the one it used to create the SecureChannel.
There was no security impact not to verify this certificate. Indeed the server is already using the client certificate of the secure channel for cryptographic challenges of session establishment and was ignoring the one from the CreateSession request. Thus it ensured the client was using the same certificate for those challenges even if it provided another certificate in CreateSession request.