STREAM-2964 Note gotchas on signedURL docs (cloudflare#914)

Author: Everlag

products/stream/src/content/viewing-videos/securing-your-stream.md

@@ -31,15 +31,17 @@ Upon creation you will get a RSA private key in PEM and JWK formats. Keys are cr
   "result": {
     "id": "$KEYID",
     "pem": "$PRIVATE_KEY_IN_PEM_FORMAT",
-    "jwk": "{PRIVATE-KEY-IN-JWK-FORMAT}",
-    "created": "{TIMESTAMP}"
+    "jwk": "$PRIVATE-KEY-IN-JWK-FORMAT",
+    "created": "$TIMESTAMP"
   },
   "success": true,
   "errors": [],
   "messages": []
 }
 ```
 
+The `pem` and `jwk` fields are base64-encoded, you must decode them before using them.
+
 ### Making a video require signed URLs
 
 Since video ids are effectively public within signed URLs, you will need to turn on `requireSignedURLs` on for your videos. This option will prevent any public links, such as `watch.cloudflarestream.com/$VIDEOID`, from working.
@@ -67,6 +69,8 @@ Restricting viewing can be done by updating the video's metadata.
 
 After creating a key, you can use it to sign unique signed tokens. These tokens can be used in place of video ids in the stream embed code.
 
+For security reasons, the key signing a token to view a video **must** be associated with the same account the video was uploaded to. For example, if you have a key owned by account A attempting to sign a token for a video owned by account B, that token will not be accepted.
+
 You can sign to assert these optional constraints on the token:
 
 - `exp` - expiration; a unix epoch timestamp **after** which the token will not be accepted.