AH is
forbidden because its functionality overridden by ESP and its SPI is
not located at port number part.
If my understanding is correct, integrity check including IP header cannot be done with ESP. AH can do that.
The source address is something I'd really like to check.First, which part of IP header, do you want to check the integrity?
That's why we do AH first and reject the packet if it doesn't check out. Applications are not involved in IPsec, that's the whole point. Otherwise you could just as well use TLS.Once a host receives a packet and delivers it to some application using SPI (which is why SPI is equivalent to port information), no information in IP header is no longer necessary and it is too late to check integrity of information in IP header.