HAR logs would be helpful to determine what is actually going on and why your Callback() controller has not been reached. Make sure you hide sensitive information from HAR if you plan to post it.
If Auth0 doesnt find any “return to”, “baseurl/callback” is the default value. In your case, supplying “return to” or the “redirect uri”, and adding that url in the list of allowed callback urls could solve the problem.