Is your feature request related to a problem? Please describe.
The Streamable HTTP spec is missing some concrete instructions regarding the expected response in error cases as well as clear instructions regarding non-SSE responses.

2.0.1

In general, the different SDKs return different bodies in error cases.
While the Python SDK returns just text (https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/transport_security.py#L125), the TypeScript SDK returns a jsonrpc-like application/json body (https://github.com/modelcontextprotocol/typescript-sdk/blob/main/src/server/streamableHttp.ts#L210)

E.g.

Servers MUST validate the Origin header on all incoming connections to prevent DNS rebinding attacks

The spec lacks any HTTP status code that should be returned in this case. Python SDK returns 400, TypeScript SDK returns 403.

2.1

If the input is a JSON-RPC request, the server MUST either return Content-Type: text/event-stream, to initiate an SSE stream, or Content-Type: application/json, to return one JSON object. The client MUST support both these cases.

I assume the JSON object that is returned in the non-SSE case should be matching the Result interface of the JSONRPCResponse type? Or is it expected to be a JSONRPCResponse as well? This is a bit unclear, as the JSON-RPC response is technically also a JSON object.

Describe the solution you'd like
Clear instructions about the status code and the body in error cases, as well as responses in non-SSE cases.

Describe alternatives you've considered
n/a

Additional context
n/a