Thanks Nate. That solved it!
I specified the fully qualified issuer to match the server:
https://{mysubdomain}.oktapreview.com/oauth2/default
I also found this other thread that covers this in Invalid signature in Access and Id Token - #2 by tom .
–Ray