Update to above, I replaced the clientID with default, and I recieved a token again, but I recieve the exact same error as before: CanReadToken() returned false, etc.
I guess I just don’t understand how the jwt from okta is malformed. It is properly subdivided into header, payload, signature. Putting it into an online jwt parser such as jwt.io returns expected data and values.