I have just looked into an SSH_MSG_USERAUTH_REQUEST message sent by an OpenSSH 8.2 corresponding to ecdsa-sha2-nistp256 public key authentication, and it does look too small for the data that is supposed to be transferred. Is this client perhaps using point compression?