Build a signed ES256 JWT carrying the given claims, using the supplied
PKCS#8 EC P-256 private key (PEM). This is the general access-token sibling of
makeClientAssertion: the payload is assembled with Json (so string claims
are JSON-escaped, never interpolated) and string claims are rejected up front
if they contain control characters, reusing the same injection-hardening.
Build a signed ES256 JWT carrying the given claims, using the supplied PKCS#8 EC P-256 private key (PEM). This is the general access-token sibling of makeClientAssertion: the payload is assembled with Json (so string claims are JSON-escaped, never interpolated) and string claims are rejected up front if they contain control characters, reusing the same injection-hardening.