Good point, Andy. Even if the ZTN token carries very specific audience and scope claims, the fact that the rendezvous key serves as an authorization "pass" means that this is a non-issue.
I also suspected that using the rendezvous token/key as authentication token in place of ZTN would present some problems for validation.
On the other hand, could you not have the situation where what is a valid ZTN token at the destination is not valid at the source? If both are in the same organization, I suppose not, but inter-organizational? That is, the issuer and
audience recognized by one is not recognized by the other (ZTN validates those two things, at least on a JWT bearer token, correct?)
Al