Sorry, I skipped a step. I shouldn't make assumptions about what's obvious. The server would provide the public key and the client would convert it to address form then match against the URI it has scanned. If it didn't match, stop at that point.