Extension PubSub is always enabled. I’m not a .NET dev so can’t help with your code, but what I’d suggest doing is just logging All The Things!
If you log your signed JWT you can easily verify that the payload data is correct, and if you log the secret being used (before being base64 decoded) you can check to see if there are any additional spaces or missing characters.
If you paste your generated JWT into something like jwt.io and use your secret directly copy/pasted from your Extension Console page then that should correctly show the signature is correct, if it shows the signature is incorrect then it’s likely an issue with how your EBS is loading/manipulating the secret string or how it’s signing the JWT.