IDX10501 Signature validation failed when validating token

We have a problem with token validation in our test system. We are using the OWIN middleware in OpenID connect.
The code we have was originally based off https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi .
The code has since been modified and customized and is in a .NET 4.6.1 MVC app.

We are getting SecurityTokenInvalidSignatureExceptions with the message “IDX10501 occurs here with this message: Signature validation failed. Unable to match keys: …” The keys do match though.
We have discussed this with Microsoft and they have indicated to us that Azure settings are correct and that the error is likely occurring in the OWIN middleware.

Our config settings are as follows:

     private TokenValidationParameters _tokenValidationParameters
    {
        get
        {
            TokenValidationParameters tokenValidationParameters= new TokenValidationParameters
            {
				ValidateAudience = true,
                ValidAudience = ConfigurationManager.AppSettings["AzureClientId"],
                NameClaimType = "name",
                ValidateLifetime = true,
				...other validation settings
            };
            return tokenValidationParameters;
        }
    }

Here are some of the config settings: <add key="AzureTenant" value="f16af6eb-9396-4db0-b938-62c8cf9be01d" /> <add key="AzureClientId" value="13a4d1c2-231a-4946-a7db-f5e3903f74b6" />

Our token validation in Startup.cs looks like this:

        private Task OnMessageReceived(MessageReceivedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> arg)
        {
            string tokenBase64Encoded = string.Empty;
            try
            {
                SecurityToken validatedToken;
                JwtSecurityTokenHandler jwtSecurityTokenHandler = new JwtSecurityTokenHandler();
                tokenBase64Encoded = arg.ProtocolMessage.IdToken;
                var user = jwtSecurityTokenHandler.ValidateToken(tokenBase64Encoded, _tokenValidationParameters, out validatedToken);//will generate exception if invalid token
                return Task.FromResult(0);

            }
            catch (ArgumentException ex)
            {
					...Log and handle the error
            }
			...Log  and handle other specific exceptions
            
            catch (SecurityTokenInvalidSignatureException ex)  //this exception is caught
            {		
					...Log and handle the error
            }
            catch (Exception ex)
            {
					...Log  and handle any other error
            }
         }

Our configuration method looks like this:

       public void Configuration(IAppBuilder app)
        {
            ...
            app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    MetadataAddress = MetadataAddress,\\MetadataAddress="https://cir2advisorstst.b2clogin.com/tfp/cir2advisorstst.onmicrosoft.com/B2C_1A_Signin_OpenID/v2.0/.well-known/openid-configuration"
                    ClientId = clientId,
                    RedirectUri = redirectUri, //redirectUri points to our test app
                    PostLogoutRedirectUri = redirectUri,
                    Scope = OpenIdConnectScope.OpenIdProfile,
                    ResponseType = OpenIdConnectResponseType.IdToken,
                    TokenValidationParameters = _tokenValidationParameters,
                    Notifications = new OpenIdConnectAuthenticationNotifications
                    {
                        ...
                        MessageReceived = OnMessageReceived,
                        AuthenticationFailed = OnAuthenticationFailed,
                        ...other notifications handled.
                    }
                }
            );
        }

How can we prevent this SecurityTokenInvalidSignatureException?

Thanks, Steve