Did you find the solution? I already tested using nodejs, .net core, insomnia and curl. My secret means ok, because I passed about "invalid_client", but now, I've been faced the same problem. jwt: {"alg":"ES256","typ":"JWT"}.{"sub":"com.XXXX.XXXX","nbf":1612152911,"exp":1613016911,"iat":1612152911,"iss":"7MXXXXXXDM","aud":"https://appleid.apple.com"}

Guys, I finally understood. In my case, my test was failed because I´m trying validate the authentication code more than one time. You have only one chance to validate the authentication code! Remember that authentication expires in a few minutes. Then, you need to login each test and get new authentication code for each validate test.

I have the same problem and followed the same tutorial. Did you find the solution? I already test using nodejs, .net core, insomnia and curl.