The PHP snippet provided to verify the signature of an incoming webhook payload uses http_build_query to generate a query string, which ignores any null value in an array.
This returns a query string that is missing some keys that were provided in the payload, generating a wrong signature down the line.

I lost a few hours trying to find out why my signatures were not matching. I eventually found out by running the Node.js snippet and comparing the generated parameter strings.

The workaround is to implement http_build_query yourself. I ended up using this https://stackoverflow.com/a/16451823/11178709