Allow restricting the set of home servers for which tokens are issued

[MSC4195](https://github.com/matrix-org/matrix-spec-proposals/pull/4195) says:

> An access control policy should be applied based on the result of the OpenID token validation. For example, access might be restricted to users of a particular homeserver or to users with a specific role.

AFAICT, as of 78801242ec3981c7deb5a2c6d11defd347ff39d8, that's not implemented. It'd be nice if it was.