Why do I keep getting a "invalid SAML response/relay state" error when trying to authenticate in my AWS Cognito user pool via Okta (IdP initiated)?

Question

I'm working on a POC application to see if a migration from Auth0 to AWS Cognito is suitable for my company needs. IdP initiated login via Okta dashboard is a key aspect. AWS Cognito recently improved and now accepts SP-initiated and IdP-initiated SAML assertions for SAML identity providers created in an user pool.

Following this guide, I link this identity provider to its own app client,

and in Okta, I create a developer account, a SAML 2.0 application, and specify Single sign-on URL (user pool domain + the /saml2/idpresponse suffix) and the audience URI. This value, according to contradicting AWS guides, should be urn:amazon:cognito:sp:UserPoolId or the user pool ARN value, which is a different value the user pool gives You also need to link attributes such as email the way I have done so.

The guide states that the Relay State value should be sent as identity_provider%3D{Name of the identity provider in user pool}%26client_id%3D{cognito's app client id}%26redirect_uri%3Dhttps%3A%2F%2F{redirect uri specified in app client}%26response_type%3Dcode%26scope%3Demail%2Bopenid%2Bphone which I do. I also tried sending it blank. But no matter which way I choose, I keep arriving to the following error when clicking on my app in Okta dashboard.

crazy thing is Okta authentication is successful according to its logs:

    Nov 07 11:16:42

Juan Perez (User)
{ip}
User single sign on to app
SUCCESS
my-app-name  (AppInstance)
Juan Perez  (AppUser)
Nov 07 11:16:42

Juan Perez (User)
{ip}
Evaluation of sign-on policy
ALLOW
my-app-name  (AppInstance)
Catch-all Rule  (Rule)

so error must be in the way relay state value is sent or somewhere else. SAML tracer extensions didn't prove useful, error message just reads what is seen in the screenshot. I'm waiting for an answer on Okta support as well.