Otherwise it mimics the GitHub payload body well enough (we only check for the ref and repository chunks), as well as x-GitHub-event.
But the auth is wrong.
Some reasons I've seen this happen:
If there is a significant time difference between the client (browser) and the server. I've seen this happen within a Docker server sometimes, where the time on the server is very wrong.
Browser extensions such as adblockers causing issues by changing referrers or other headers, blocking things, etc.
Those forms usually send some content related to CSRF protection, within a hidden field in the form. That needs to be sent back and will be verified. Something seems to be going wrong there.