Demanding ID was the standard procedure under the 95/46 directive, with GDPR any way of proving your identity is enough.
It can range to log in the service to actually demanding an ID if sensible data are handled.
In your case, the Guidelines 01/2022 from the EDPB, especially points 63 to 65, tend to say that you authenticated yourself properly.
=> involve the DPA (dutch or belgian, according the language of the response, but you can anyway check in the Privacy Notice)
Sure, as you know that you can throw people overboard to save your own ass.