docs: add comment about pending DPoP test coverage (H1)
Note: Full DPoP validation test coverage requires ES256 token minting and DPoP proof helpers. Deferred to dedicated DPoP test module. Current coverage exercised indirectly through oauth_token tests.