Problem description
I should confess that I'm a bit confuse about the use 403 INVALID_TOKEN_CONTEXT vs 422 UNNECESSARY_IDENTIFIER in the context of 3-legs access token.

Are we supposed to use below set 1 or 2?

Set 1:
Rule 1: If in the access token the device identifier is A and in the body we have B then we throw back 403 INVALID_TOKEN_CONTEXT
Rule2 : If in the access token the device identifier is A and in the body we have A then we throw back 422 UNNECESSARY_IDENTIFIER

Set2:
When I'm reading our design document I can also understand
Rule 1: If in the access token the device identifier is A and in the body we have B then we throw back 422 UNNECESSARY_IDENTIFIER
Rule2 : If in the access token the device identifier is A and in the body we have A then we throw back 422 UNNECESSARY_IDENTIFIER

Expected action

Additional context