What about JWT+DPoP? It would address many of the author's concerns.
https://datatracker.ietf.org/doc/html/rfc9449#name-dpop-proo...
The JWT specification itself is not trusted by security experts. This should preclude all usage of them for anything related to security and authentication.