In addition to making sure that the audience values are correct at the API level you also need to ensure that the client application performs an authentication/authorization request that includes an audience parameter with a value matching the one associated with your API.
The above may not be a definitive answer, however, based on the information provided is hard to point to the root cause. Ideally you should provide the API audience you’re using and the payload section of the JWT access token the client application is sending to the API (you can redact any custom claims withing the payload and also redact your Auth0 domain name).