Apparently on the client, Apple is signing SHA256(SHA256(authData || clientDataHash)). Changing this to a double hash allows the signature to verify correctly.