Third-party applications really have no recourse but to trust the signed JWT. That is just how OAuth2/OIDC works.

User impersonation against an IdP is a serious security issue. 100k is cheap.

The bug was basically on the IdP's "consent screen". Instead of using the email from the active logged in account, it allowed the attack to POST in any email they wanted.

Obviously not having the bug would be great. Apple could do "more", and layer on more things on top of OAuth, like a proof of key extension (DPoP) on the flow: https://tools.ietf.org/html/draft-fett-oauth-dpop-04

But if you have a bug like this, where you can edit your claims arbitrarily inside the IdP, extra security layers kinda don't matter.