The reason why we don't have an appliesTo property in WSTrustContext is because the context has the request itself, which contains all WS-T request data including AppliesTo. And SAML20TokenProvider already creates an AudienceRestriction if AppliesTo is found in the request. See the following code in issueToken():
AudienceRestrictionType restriction = null; AppliesTo appliesTo = context.getRequestSecurityToken().getAppliesTo(); if (appliesTo != null) restriction = SAMLAssertionFactory.createAudienceRestriction(WSTrustUtil.parseAppliesTo(appliesTo)); ConditionsType conditions = SAMLAssertionFactory.createConditions(lifetime.getCreated(), lifetime.getExpires(), restriction);
As you can see, you can access the original request from the context and then check the request object to see if an AppliesTo has been specified. If that is the case, then an AudienceRestriction is created and included in the SAML assertion.