Definitely a SECRET_KEY issue.
It turns out we had two different SECRET_KEY entries in lms.env.json and lms.auth.json. And depending which one I use, I don’t have the issue or I have it,
Mystery solved. Thanks @Felipe for suggesting it might be a SECRET_KEY issue this morning in the BTR WG meeting.
Now, I have to figure out how to fix it in case the SECRET_KEY is used in other cases than authentication and submissions for ORA2.
P.S. Maybe https://openedx.atlassian.net/wiki/spaces/OpenOPS/pages/60227806/Update+Your+LMS+and+CMS+SECRET+KEY can help, but it might be outdated right now.