Finally got some time to go through this whole flow, and after some time with postman I have some ideas.
How is the user logging in here (I think this is the crux of the issue)? Are users not required to use MFA? They should be getting a MFA required error and a MFA token.
After this you would take the MFA token from step 1 and make the request you posted, which would return an access and id token.
This is likely an unintentional red herring. The API is probably looking at the token expiration before looking at the actual payload, and saying the MFA token is expired, when it isn’t an MFA token at all, but it is expired.