We’re running into a similar issue but only when deploying the API with IISNode on a Windows IIS server.
We’re using the same RS256 signing algo and have confirmed that this works via localhost.
The problem comes up when we host it with a domain name served to us via the IIS Server, and try to access a protected API route using the domain name.
When running a localhost version of said API and trying to hit it via http://localhost:3001, it accepts the token and makes the authentication call.