First thing to note is that you’re going to want to update it so that the middleware and the web/native applications are using the same Authorization Server.
The fact that you see the Client ID as the ‘aud’ for your Web App makes me think that you are trying to validate an ID token (unless you made a custom Authorization Server where you set the audience to the client ID yourself, of course), as the ‘aud’ in an ID token will always be the OAuth/OIDC client ID.
Can you ensure that you are only trying to validate access tokens? It sounds like your iOS application is looking at an access token issued by the ‘default’ authorization server, so you just want to make sure your .NET web app is as well.