KID is just the identifier for a key. This is needed because often a service will have multiple keys listed in its JWKS file. This is so that old keys can still be valid when a new key is deployed (key rotation) and the KID allows a service to say which key was used to sign a JWT so that a consuming system doesn't have to try all valid keys. Canvas typically has 3 keys in it's JWKS files: https://canvas.instructure.com/api/lti/security/jwks
It is expected that a tool will have different KIDs in its JWKS file to Canvas. Canvas will use it's keys to send LTI messages to you and you can use it's JWKS file and the KID in the JWT to validate those messages are from Canvas. The reverse also applies, when you send a message back to Canvas it will use the JWKS for your tool to validate the JWT (using the KID to know which key to use).
Although as far as I'm aware at the moment Canvas doesn't support multiple keys being registered for a tool at once (you can only set one). This is why I think it's called JWK rather than JWKS in the LTI Developer Key configuration.
