I actually fought with this for a hour or two yesterday, because it isn’t directly documentated anywhere (i had to dig through the specification https://www.w3.org/TR/websub/#signature-validation).
What you have to do, when you receive the notification request from twitch (after your request was verified). Is to get the raw payload of the request and sign this one with your secret key, in the request there is also an additional header call x-hub-signature which also contains the signed payload (+ additionally the info which hash was used to create the signature). In twitches case the used hash algorithm is sha-256, if you compare the sha-256 hash of your received payload (using your secret key to hash it) with the x-hub-signature value in the header then the value should be the same to verify that it was hashed with the secret you provided initially.
I hope that helps a bit 
and maybe twitch can adapt their documentation to offer more infos here (especially that they are using sha-256 would have been nice to know)