I am wondering if the Date header is overridden by something (read a reverse proxy) in the render architecture.
We have signature that are based on the Date header and it looks like it sometimes slip 1s causing the verification to fail in clients.
It might be in our code, but we wanted to rule out the render side.