So, “undocumented feature” I just discovered.
Logging out with https://{okta-domain}/login/signout?fromURI={logout_url} seems to relax the exact match requirement for logout url; meaning I can pass in the final redirect url as a parameter to logout_url. I just had to make sure and add the logout url to the trusted origins with redirect.
Logging out with https://{okta-domain}/oauth2/default/v1/logout?id_token_hint={token}&post_logout_redirect_uri={logout_url} seems to use strict match against the logout url.
Does this make sense?