For clarification, neither of the points you listed are required to be compliant. 10 min is just a recommendation, the requirement is it just has to be shortly after issuance. And the 2nd point about it locking down all tokens is also just a recommendation, and in Twitch’s case they do not follow this recommendation so is not relevant to this thread.