It also looks like you included "content-type" in your verification step when it wasn't included in the signature.

But I did totally miss the org/com switch. I'll have to check my implementation, but I'm pretty sure I don't use the keyId location at all. I start from the Actor and go to webfinger.