Then as long as you copied and pasted the entire thing. (sometimes a copy/paste will miss characters if not quite paying attention)
And your frontend passed up the correct token (the authToken not the helixToken)
Then the other thing to do is to check that the recieved variables on your server are what you expect.
And check the time on the recieving server is accurate.
After that theres not many other things it could be unless you have a second extension and loaded in the wrong extension secret