oas3-operation-security-defined scopes validation not using resolved securitySchemes

[cuttingclyde]

fdxapi.components.test.yaml.txt
fdxapi.tax.fails.yaml.txt
fdxapi.tax.passes.yaml.txt

Describe the bug
The oas3-operation-security-defined rule fires even though the referenced securityScheme contains the referenced scopes.

To Reproduce

1. Given attached fdxapi.tax.fails.yaml OpenAPI document which references securitySchemes in attached fdxapi.components.test.yaml OpenAPI document
2. Run the spectral:oas ruleset
3. Which returns error:

 36:15  warning  oas3-operation-security-defined  "fdx:customerpersonal:read" must be listed among scopes.  paths./tax-forms.get.security[0].OAuthFapi1Advanced[0]

4. Given attached fdxapi.tax.passes.yaml OpenAPI document which includes the full securitySchemes definition copied exactly from fdxapi.components.test.yaml
5. Run the spectral:oas ruleset
6. Which succeeds without firing the rule

Expected behavior
The original rule failure should not occur, since the referenced scope fdx:customerpersonal:read is defined in the referenced file's securitySchemes.

Environment (remove any that are not applicable):

• OAS version: 3.1.0
• Spectral version: 6.11.1
• OS: Linux (BitBucket pipeline) and Windows 11 (Spectral CLI)