Verify the p tag, find its metadata, fetch its LUD address, extract the pubkey from the HTTP response and then validate the zap pubkey against that? I guess it's not that hard, but if the zap provider pubkey was included directly in the receiver metadata that would be much better.