Connect app authentication without user impersonation issue (jwt missing subject error)

I need to do queries to Confluence API in headless scenario (no user impersonation). I’ve found this guide - Security for Connect apps and start implementing it.
So, I have a Connect app with jwt authentication and read scope. It is successfully installed and I have shared key and OAuth client id.
I’m constructing jwt according to this:

  "tnt": "https://<my_instance>", // looks like this is required
  "nbf": 1660932251,
  "exp": 1660932371,
  "iat": 1660932251,
  "iss": "urn:atlassian:connect:clientid:<connect-addon-client-id>",
  "aud": "" // also does not work without this

I’m trying to exchange this JWT to an access token. Params are

{"grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer"},
{"scope", "READ"},
{"assertion", jwt},

I get an error "{\"error\":\"invalid_grant\",\"error_description\":\"Missing subject\"}". If I pass token with empty sub, it is also fails.
I guess when I will add user account id as sub everything would fly, but this does not fulfill my requirements. I’ve looked for some code samples and most of them (like this one) have user built in the jwt.

Added read_as_user scope to addon, passed user account id as sub in jwt, received token successfully.
The original question how to request a token that has no user associated with it still holds.