I dont think the format should matter (I mean it may do here, but it should not)
In this situation easyauth is doing very little
You point it towards an addressable meta data endpoint and provide it with a client id and secret (generally, I cant speak for keycloak specifically, the secret is not actually required for access token validation)
The logic is simply going to check the issuer (this value should be returned with the meta data) the token signature (via the public keys available in the meta data)
And the audience - which is the client id you configured
So long as the token you are sending has an aud claim which matches what you put into the config for easyauth (under clientid) then there's not reason it should not work - should be a straight string match (same with iss claim and the issuer info from meta data)
A few more things will be checked - but that's the gist of it
I cant access the full backend logs as I'm not working in the support org - but if you mail me direct begim@microsoft.com - I'll do what I can to help