Creating a signature for authorization via ESIA with a CryptoPro certificate

Setting up the site authorization via ESIA.

Problem: After clicking on the generated link with the signature, we go to the authorization page, enter the data, get the error "Authorization error", the page address has details

error_description=ESIA-007005%3A+The+client+is+not+authorized+to+request+an+access+token+using+this+method

There is a machine with a docker.

Docker container installed https://hub.docker.com/r/required/cryptopro

The root certificate is installed, the client certificate, there is a trial key for CryptoPro.

Certificate chains are verified by the copy method(https://www.altlinux.org/%D0%9A%D1%80%D0%B8%D0%BF%D1%82%D0%BE%D0%9F%D1%80%D0%BE#%D0%9F%D1%80%D0%BE%D0%B2%D0%B5%D1%80%D0%BA%D0%B0_%D1%86%D0%B5%D0%BF%D0%BE%D1%87%D0%BA%D0%B8_%D1%81%D0%B5%D1%80%D1%82%D0%B8%D1%84%D0%B8%D0%BA%D0%B0%D1%82%D0%BE%D0%B2)

cryptcp -copycert -thumbprint "$thumbprint" -df tt.cer

Output

Certificate chains are checked

The ESIA requires a signature in the PKCS#7 detached signature format in UTF8 encoding, then encoded in the safe url. base64

Googling, I found this option:

csptest -sfsign -sign -detached -base64 -add -alg "GOST12_256" -in message -out sig

The file is signed, I check

csptest -sfsign -verify -detached -base64 -add -alg "GOST12_256" -in message -signature sig

At the exit:

Detached Signature was verified OK

Question - what could be the problem? Where to dig?

UPD: There is a service that can sign with the same certificate, written in Java and signed by ESIA authorizes it. Comparing our link and the service link, we found differences only in the client_secret line, that is, in the signature.