One of the flaws of that system was exactly that you didn't know which domains where allowed to issue the requests for a one-time key.

Each service would serve the authenticator snippet from their own domain, with their own certificate. MitID, for all it's centralization flaws, solved that by only being valid under the mitid.dk domain. I doubt that most people check the domain and the certificate, but they could.