Although it was some time ago I already used jwt.sign from within a rule and did not experienced any issues when receiving and validating the generated token. However, when I did it, I did request a explicit version of the jsonwebtoken module instead of relying on the one that has built-in support and as such can be used without a require.
The recommendation here would be for you to explicitly request a version of that module and verify if you still observe issues. You can check the versions available within rules at:
https://tehsis.github.io/webtaskio-canirequire/#jsonwebtoken
For example, you could (and should even if this is not the root cause of the issue) do:
var jwt = require('jsonwebtoken@7.1.9');
var request = require('request@2.56.0');
// ...
// you may need to adapt the code to be compatible with the requested version
If fixing the version still leads to issues then at least we can reduce the scope of testing to a single version and in this case you should also update your question with additional information about what exactly constitutes an invalid token (an example would be great).