RFC 9207 "OAuth 2.0 Authorization Server Issuer Identification" describes how an iss HTTP parameter can be used to mitigate a "mix-up" attack:

In authorization responses to the client, including error responses, an authorization server supporting this specification MUST indicate its identity by including the iss parameter in the response.

The iss parameter value is the issuer identifier of the authorization server that created the authorization response, as defined in [RFC8414]. Its value MUST be a URL that uses the "https" scheme without any query or fragment components.

This security measure is advised by the Best Current Practice for OAuth 2.0 Security (RFC 9700) and by @uvdsl (see the conversation in uvdsl/solid-oidc-client-browser#12)