I'm working through this process myself. I've gotten as far as validating the certificate chain contained in the x5c header property, but am failing to validate the signature of the JWT using the public key extracted from the first certificate in that chain.