Well, for any twitch staff following along: I worked around this issue by not using the twitch id_tokens anymore: https://github.com/mtgatracker/mtgatracker-webtask/pull/7/files#diff-3c3d50f3c617d6af6483e5934320b99fR214
As it is, I don’t really see a point in id_token’s at all. Even as a “secondary” method of verifying the response from the original oauth request (i.e. against the jwk), there’s nothing that relates the access_token to the id_token, so it’s pretty much validating two separate pieces of info (rather than double-validating the info that matters, in this case, the access_token). Furthermore, without a way to refresh the id_token, the double-validation-but-not-really only works once.
Maybe this is just me not getting it, but… well, I don’t get it 