I'd guess that your issuer isn't specified in your openid config. You'd have to decode your JWT to verify that. If that's the problem, you just need to add all of your issuers to that validate-jwt policy.

Since you're doing everything in Entra Id, you might consider using a validate-azure-ad-token policy instead of a validate-jwt policy since that already checks for all of the issuers that might issue your tokens.