Consistently getting "invalid token data" when trying to reset user password

I’m trying to implement password reset in my iOS app. Upon user request, I call the following (Swift) code in the app:

let realmApp = App(id: REALM_ID)
realmApp.emailPasswordAuth.callResetPasswordFunction(email: "emailEnteredByUser", password: "password", args: [], completion)

My password reset function is the following:

exports = async function({ token, tokenId, username, password }) {
  const ses = context.services.get('AmazonSES').ses("us-east-2");
  
  const link = `https://.../reset_password?lang=en&token=${token}&tokenId=${tokenId}`;

  // send custom email with link using Amazon SES
  const result = await ses.SendTemplatedEmail({...});

  return { status: 'pending' };
};

I don’t use the password sent by the app (which I literally fill with "password") for security reasons, because I have no way to authenticate the user.

The link to my website points to a JS script that looks like this:

// get parameters
const params = new URLSearchParams(window.location.search);
const lang = params.get("lang");
const token = params.get("token");
const tokenId = params.get("tokenId");

const passwordField = document.getElementById("fpassword");

[...]

function confirmButtonWasClicked() {
	const app = new Realm.App({ id: REALM_ID });
	app.emailPasswordAuth.resetPassword(passwordField.value, token, tokenId).then(
		(value) => {
			success();
		},
		(error) => {
			failure();
		}
	);
}

The problem is, I get the following error every single time I try to reset the password:
Request failed (POST https://stitch.mongodb.com/api/client/v2.0/app/REALM_ID/auth/providers/local-userpass/reset): invalid token data (status 400)

I’m using:
RealmSwift v10.7.2
Realm-web@1.2.0 (https://unpkg.com/realm-web@1.2.0/dist/bundle.iife.js)