So after some debugging on my end, I’m not sure if this is necessary a bug in the micro.blog ios client or the indieauth tokens endpoint.
microblog-react/src/api/MicroPubApi.js at 0ac479abfb560b42fed39deb043c58354598b000 · microdotblog/microblog-react · GitHub If I drop the encodeURIComponent and send the auth_code raw, the verification succeeds.
Looking at the spec, IndieAuth I don’t see anything about encoding enforcement but logically, you’d expect the fields in x-www-url-form-urlencoded requests to be url encoded so 
I also came across indieauth issue #44 (can’t post more than two links as a “new user”) which seems to suggest that this auth flow is deprecated?
I’m also not a JS dev so I could be completely off base here but I can at least reproduce this. Not sure if I should open this as a bug report on microblog-react or send a report to indieauth or ???
Going to look into this more to see if there’s an errant double URIencode somewhere