Allow token exchange only for linked users

Hello,
I’ve set up an identity provider and enabled token exchange for it. Additionally, I’ve created a custom flow based on the first broker login. The only difference is that this custom flow requires the account linking. It won’t create users that don’t exist based on the identity provider. If a user uses the identity provider for the login, either he must be linked already or he must additionally login with a keycloak user.

This works as intended as long as I use the browser (authorization code) for the login. However, it doesn’t work with token exchange. Token exchange seems to ignore the flow and just creates the user if he doesn’t exist.

What settings are required to prohibit the creation of users when using token exchange?

Seems like this is intended and this were already mentioned:
https://issues.redhat.com/browse/KEYCLOAK-19779?jql=text%20~%20%22token%20exchange%22
and
https://lists.jboss.org/archives/list/keycloak-user@lists.jboss.org/thread/6OKTOR6EUZK4BLSMOB3IRKCKFRPUSXJI/#UBE2QU4OKMIEGRZIACHMTUSN3JVNXCWN

I made an issue for it: It should be possible to prevent user creation when using token exchange · Issue #12548 · keycloak/keycloak · GitHub