Excluding users from MFA with rules breaks consent pop up

We added a rule that overwrites the context.multifactor field for users with specific user names. The exclusion itself worked as expected, but we saw an issue with the first log in of new users: after approving in the consent, the browser gets an error page.

This is the rule:

function (user, context, callback) {
  const EXCULDED_USER_PREFIXES = [
    'user1',
    'user2',
  ];
  
  if (EXCULDED_USER_PREFIXES.some(prefix => user.email.startsWith(prefix))) {
    context.multifactor = {
      provider: 'none',
    };
  }
  
  callback(null, user, context); 
}

This is the error message (from the logs) after the user clicks the consent approve button (reducted):

{
  "date": "2022-11-07T21:08:20.946Z",
  "type": "f",
  "description": "Unable to correlate completed consent.",
  "connection": "console-username-password-auth",
  "connection_id": "*****",
  "client_id": "*****",
  "client_name": "*****",
  "ip": "*****",
  "user_agent": "HeadlessChrome 106.0.5249 / Linux 0.0.0",
  "details": {
    "body": {},
    "qs": {
      "state": "aunPKSoGQ0ounwv8P8zeex53859HEzqP"
    },
    "connection": "console-username-password-auth",
    "error": {
      "message": "Unable to correlate completed consent.",
      "oauthError": "server_error",
      "type": "oauth-authorization"
    },
    "session_id": "Jc8r2nrfKjUFXMrQnRDF5Us08iieDAE8",
    "riskAssessment": {
      "confidence": "high",
      "version": "1",
      "assessments": {
        "UntrustedIP": {
          "confidence": "high",
          "code": "not_found_on_deny_list"
        },
        "NewDevice": {
          "confidence": "high",
          "code": "initial_login"
        },
        "ImpossibleTravel": {
          "confidence": "high",
          "code": "initial_login"
        }
      }
    },
    "actions": {
      "executions": [
        "zFw9eSvZSge2Gi9YubrK9zIwMjIxMTA3"
      ]
    }
  },
  "hostname": "*****",
  "user_id": "*****",
  "user_name": "*****",
  "strategy": "auth0",
  "strategy_type": "database",
  "organization_id": "*****",
  "organization_name": "*****",
  "audience": "https://*****.us.auth0.com/userinfo",
  "scope": [
    "openid",
    "profile",
    "email",
    "offline_access"
  ],
  "log_id": "90020221107210823951273628476824183673115586323980222514",
  "_id": "90020221107210823951273628476824183673115586323980222514",
  "isMobile": false,
  "id": "90020221107210823951273628476824183673115586323980222514"
}

On subsequent logins the consent window is not shown, and there are no errors.

Is this an issue with how the rule works or a maybe a bug in the consent mechanism?