As far as I know, this error is usually caused by the fact that you did not encode the thumbprint correctly. After you obtain the thumbprint, please check your code to ensure that it is properly Base64 encoded.
Check the format of your JWT token at jwt.io.
Header
{
"alg": "RS256",
"typ": "JWT",
"x5t": "<Base64 Thumbprint>"
}
Payload
{
"iss": "<clientid>",
"sub": "<clientid>",
"exp": 1570838377 (expiration time),
"jti": "<random unique identifier>",
"aud": "https://<token-endpoint>"
}
Drop your private key in to the bottom verify-er which will sign your JWT in the "Encoded" window.
I found some cases for your reference, I hope it can help you: https://community.dynamics.com/crm/f/microsoft-dynamics-crm-forum/320069/authentication-to-dynamics-365-using-azure-apps and https://github.com/AzureAD/passport-azure-ad/issues/453
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.