I believe this explanation is simpler:
Audience: What is the target of this token. In other words which services, apis, products should accept this token an access token for the service. They may be many valid tokens in the world, but not all of those tokens have been granted by the user (or resource owner) to allow access to the resources saved in the product services. A token valid for Google drive should not be accepted for GMail, even if both of them have the same issuer, they’ll have different audiences. Why? Because a user may have given access to a 3rd party service to a access their GMail, but not their documents in Drive.
Issuer: Who created the token. This can be verified by using the well-known openid configuration endpoint and public keys. Since issuers are tied to DNS entries/url paths, each issuer must be unique. Two services can’t both be the same issuer. Tokens issued by Google will have a different issuer than the ones issued by Authress.