Glad you got this figured out
This would mean that the ID Token didn't contain a sub claim which is rather strange. The logs ( if you get them from your support engineer ) would contain a line that says
claims.principal not found in {your ID Tokens claims here in json format}