Can be nice to add ability to intercept token-exchange grant with client policies like other grants have (client policies not yet available yet for token-exchange).

For example here how code for trigger client-policies look like in ResourceOwnerPasswordCredentialsGrantType (triggered after initial checks/validations are performed) : https://github.com/keycloak/keycloak/blob/26.1.2/services/src/main/java/org/keycloak/protocol/oidc/grants/ResourceOwnerPasswordCredentialsGrantType.java#L81-L87