For others who might find their way here some day…the answer is that most of the Identity and Access Management services (Auth0, Okta, etc.) will only accept a browser request (not a Javascript request) to their /authorize endpoint.
In my case, I started the whole login process from a Javascript function, so Javascript was handing all of the HTTP interactions with the Phoenix server, including the redirect to Okta.
Simply changing my Nuxt app to do a normal browser location change (by just using a href on a login link instead of calling a Javascript function) made it work as expected.
Well that was painful…
