So that means you ALREADY HAVE a service running somewhere online where the extension (and the game) connects to?
This is literally the best place to implement all the server side code - including JWT validation. This service CAN BE your EBS if you want.
EBS is just a common name. It means “Extension Backend Service”. You could also name it “Game Server” or probably use a “REST API” as EBS (debending on your use case).
An EBS can be a fingle file (process) or a complex application. Depending on what you want it to do.
You are a GameDev,r ight? Think of your Extension being a game client for a Lobby-based game, your EBS would be the game server where the client connects, authenticates (using the JWT in our case) and gets assigned to a room (lobby) where all the other clients in this Lobby ID (twitch channel) are connected.
Hopefully I was able to make things clear.
Edit:
Just an idea for handling: At connect time you do already know the channel id from onAuthorized callback. If not (jmeans the viewer did not accept ID share yet), simply do not connect but ask the user for permission. This has to be achieved in JS on the extension side.