Porting from acquia/http-hmac-go#16, the spec seems to indicate that X-Server-Authorization-HMAC-SHA256 should not be blank even if the response body is blank:
The response signature base string is a concatenated string generated from the following parts:
Nonce: The nonce that was sent in the Authorization header.
Timestamp: The timestamp that was sent in the X-Authorization-Timestamp header
Porting from acquia/http-hmac-go#16, the spec seems to indicate that X-Server-Authorization-HMAC-SHA256 should not be blank even if the response body is blank: