ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key
In the destination site (not my Identity Server), I made a mistake setting up the token.
A big part of the problem is that I was trying to set up too much filter criteria in the token definition. If you are only using one relying party and your server doesn’t have a bazillion encryption certificates on it, then you don’t need to use all of the possible filters in your token filter definition. The thumbprint should suffice.
Also, I was using load-balancing and the token information is (possibly) a little different for each host of a load-balanced environment. So you need to get the thumbprint from each load balanced Identity Server, individually. They may or may-not be the same. You are allowed to use several thumbprints and the server (RP) will figure out which one to use.