Answering my own question, hoping this will be of help.
The dev rig doesn’t look like it uses the secret from the dashboard.
It uses its own special secret which you can find by going to Project details then scroll down to: Run your back-end service locally with the Developer Rig.
Inside you will find a command, that command has a -s parameter which is the actual secret!
Using that in the backend I was able to verify the signature.