You can’t use a token from onAuthorized to send a global message. Viewers have no permissions to send messages on pubsub at all, and broadcasters can only broadcast to their own channel.
The only way to send messages globally is through your EBS creating the required token.
As for why you can’t verify the token signature on your backend, I can only assume you’re either not using bodyparser (have you tried to log req.body.token to ensure you’re actually getting what you think you’re getting?) or you’ve erroneously copied either the JWT when making the request, or the secret used.
As for jwt.io, did you paste the JWT or the secret first? If you paste the token first, then whatever secret your type/paste will automatically update the token to use that as a signature (so works for signing a token that you intend to send). If you want to use it to verify a token you’ve received you need to first paste the secret and then the JWT to ensure it is verified correctly.