Observed behavior
When creating an owner-only client via the API Portal, the resulting access token is invalid. In addition to the error, these tokens are clearly not in JWT format. This also happens when resetting an access token via the API Portal. When doing the same operation via Meta, the token is a standard JWT and works correctly. This leads me to believe that this is an issue with the OAuth extension /oauth2/client and /oauth2/client/{client_key}/reset_secret endpoints. This is not an issue with client secrets, just with access tokens for owner-only clients. Access tokens obtained via other OAuth flows work as expected.
$ curl -H "Authorization: Bearer 80_character_access_token" https://api.wikimedia.org/core/v1/wikipedia/en/page/Earth/bare {"httpCode":401,"httpReason":"Jwt is not in the form of Header.Payload.Signature with two dots and 3 sections"}
Expected behavior
Access tokens are valid JWTs and are accepted by the API Gateway.
$ curl -H "Authorization: Bearer 1000_character_access_token" https://api.wikimedia.org/core/v1/wikipedia/en/page/Earth/bare {"id":9228,"key":"Earth","title":"Earth","latest":{"id":989047607,"timestamp":"2020-11-16T19:26:33Z"},"content_model":"wikitext","license":{"url":"//creativecommons.org/licenses/by-sa/3.0/","title":"Creative Commons Attribution-Share Alike 3.0"},"html_url":"https://en.wikipedia.org/w/rest.php/v1/page/Earth/html"}