I encountered the same issue as I was integrating Keycloak for authentication in Apache Airflow. The information provided by Matt helped me to identify the issue and jwt.io pointed me to the expected audience value.
The Airflow documentation shows a good starting point regarding how to integrate Keycloak, but the instruction where the JWT is decoded was in my case lacking the audience information:

user_token = jwt.decode(token, public_key, algorithms=jwt_algorithms)

After changing it to the following, everything worked like a charm:

user_token = jwt.decode(token, public_key, algorithms=jwt_algorithms, audience=f"{expected_audience}")