GRPC Auth problem with GCP IAP

Hi all,

Working with Google Cloud and Kubeflow, I would like to establish a GRPC connection with a pod in my cluster.
My current setup includes a istio-ingressgateway configured with Cloud Identity-Aware Proxy as authorization layer.
I already have in place a virtual service to redirect my traffic from the ingress-gateway to the GRPC pod port.

When I local port-forward to my ingress-gateway http2 port, I am unable to send requests getting the following error:

grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
        status = StatusCode.UNAUTHENTICATED
        details = "Origin authentication failed"
        debug_error_string = "{"created":"@1587401119.875413000","description":"Error received from peer ipv6:[::1]:8080","file":"src/core/lib/surface/","file_line":1056,"grpc_message":"Origin authentication failed","grpc_status":16}"

From the error code I can notice that is a problem in authenticating my GRPC Channel.

The problem looks even stranger when I look to my ingress-gateway logs, where I can see the following for my failed request:

"POST /seldon.protos.Seldon/Predict HTTP/2" 200 - "-" 0 0 0 - "" "grpc-python/1.27.2 grpc-c/9.0.0 (osx; chttp2; guantao)"

which in the logs looks successful.
My current security policy is:

kind: Policy
  annotations: |
  creationTimestamp: "2020-04-18T09:43:46Z"
  generation: 2
  labels: iap-ingress iap-ingress-v1.0.0 kfctl iap-ingress kubeflow v1.0.0
    kustomize.component: iap-ingress
  name: ingress-jwt
  namespace: istio-system
  resourceVersion: "8170"
  selfLink: /apis/
  uid: *********
  - jwt:
      - /projects/2********/global/backendServices/
      - x-goog-iap-jwt-assertion
      - excluded_paths:
        - exact: /healthz/ready
        - prefix: /.well-known/acme-challenge
  principalBinding: USE_ORIGIN
  - name: istio-ingressgateway
    - number: 80

Using REST I was able to authenticate successfully my requests, adding a token to my request following what described here
I’ve tried various ways to authenticate my requests in GRPC with no success:

Is there any example in creating a secure channel with Cloud IAP?

Many Thanks