I'm seeing a similar issue unfortunately. It's frustrating that ASWebAuthenticationSession and universal links seem to be the recommended approach to authenticate users against a web service, but they rely on AASA verification.

@DTS Engineer I've submitted a bug report with ID FB20925084. Unfortunately I wasn't able to provide too many details. I'm not able to reproduce this issue on iOS 26 but it was reported by one of my beta testers and the app review team. The issue is now blocking submission of my app to the app store. I'm surprised there are not more reports of this issue. I'd had thought it would affect many apps that use web services or OAuth to authenticate.

@DTS Engineer I personally cannot replicate it on iOS 26+, but I have beta users on iOS26+ who are affected by this. Similarly the app review team are affected by this which means they won't approve my app. I created another bug under my paid developer account FB21032735

Is webcredentials officially required when using HTTPS as a callback URL with ASWebAuthenticationSession? Anecdotally I've observed that webcredentials are required for universal links to work with ASWebAuthenticationSession. Though I also couldn't find anything in the docs referencing this requirement. In addition, once I did add webcredentials the Universal Link was triggered unreliably. For a small percentage of users, they still get the Using HTTPS callbacks requires Associated Domains using the webcredentials service type for xxxx-example.go.link. error. See https://developer.apple.com/forums/thread/805606?page=1#866853022

Sounds like this could be related to this bug here? https://developer.apple.com/forums/thread/805606?page=1#866853022