Late, perhaps, but better late than never.
The two most important questions are:
1. What is the scope of the project? On a 10-point scale from 0 (online store) to 10 (eBay). Wangyu, which is no more than 3-4 most likely.
2. Are all microservices in a private network or scattered across the world wide web? Again, most likely the first.
If my assumptions are correct, then:
1. Fuck OAuth and other hemorrhoids. You are too young for this, you need to do everything as simply and concretely as possible. Flexibility and speed are always bought with man-hours, there are no miracles. Complete the basic requirements of susurity (brypt, mortal tokens, etc.) and no more. Write something yourself, simple, understandable, and easily maintained by programmers of the level you can hire. You will fit into 50 lines of code.
2. Put nginx at the input, which will ask the authentication microservice with a subrequest for each incoming request: "here is a request, such headers, such a url, who is it? let him in?". And write on something like Go a reader from the user base, which will give you an answer to such a question in 3 ms (and nginx will stick "Vasya" to the request and send it further or kick it off). And if there is no big load, then it can be slower, there is no need to be afraid of a delay of 15 ms for each request, this is a completely justified price for simplicity and the absence of a zoo of languages ​​and technologies.
Here I posted a very minimalistic example: github.com/bitia-ru/examples-microservices-authent...

Any oAuth 2.0 are thought up just for this purpose.
https://habr.com/ru/company/mailru/blog/115163/
Another thing is that they are used for other purposes and in smaller projects.
But the main point is that authentication goes in a separate way, independent of your microservice.
I would not warm my head, but would take a ready-made API gateway
https://konghq.com/faqs/
This is by no means.
Seriously bogs down performance.
Why do you need GWT?
To avoid such as you described.
If you want to request all the same every time, then not "from the authentication service through a message broker" but from some common memcache/Redis/Tarantool.

Why ask for the validity of the token from the most important person for each request?
Passed authorization, received a token, the authorization service itself communicates through its channels with all services in the cluster and sends them a message that such a token is valid, in fact, only after tokens are sent to everyone - authorization will be completed (and you can send a response with this token to the user ).
Similarly, there is a forced withdrawal of the token (log out).
Token - abstractly, it is a unique code plus authorization parameters - validity period and access rights

And where should the services store this valid token?
And the client has a token stored, as I understand it, in the memory of the client application?
I'm talking about access-token ..