RFC021: client_id can't be derived from request

[reinkrul]

client_id can't be simply derived from the credential subject, since there can be multiple VPs in vp_token and multiple credential subject in the VPs. In my opinion, client_id is passed by the client/RP with some form of authenticated, so we should derive it.

The current Nuts node implementation makes a best guess of the credential subject of the first presentation in vp_token, but should be adressed in the RFC.

[woutslakhorst]

The current RFC says: all credentialSubject.ID values MUST be the same.