Paypal REST API javascript SDK error 400 while paying with cards

Question

I have integrated the PayPal REST API via SDK Javascript:

<script>
 paypal.Buttons({
   enableStandardCardFields: true,
   createOrder: function (data, actions) {
     return actions.order.create(<?=$order_details?>);
   },
   onApprove: function(data, actions) {
     $('.loader').removeClass('hidden');         
     return actions.order.capture().then(function(details) {                     
       saveOrder(details.status, details.id);
     });
   },
   onError: function (err) {
     $('.loader').addClass('hidden');
     openModal('paypal error', 'error');
   }
 }).render('#paypal-button-container');                          
</script>

Everythings works fine if the customers pay with Paypal account but when they use the form to pay by credit or debit card they'll get some 400 errors which stuck the payment flow just a few seconds after customers are prompted by their card issuing bank to complete an additional verification. The errors in the console are:

POST https://www.paypal.com/webapps/helios/api/switch/threeDSLookUp 400
POST https://www.paypal.com/webapps/helios/api/checkout/83T90328GR130744R/session/clear3DSContingency 400

I try to pay with testing card on PayPal sandbox and the payment successfully ends. Does PayPal have some problem or are there any errors in my implementation?

Edit:

The response body of the two requests which give the 400 status are empty, I can paste the response headers from the network tab:

General

Request URL: https://www.paypal.com/webapps/helios/api/switch/threeDSLookUp
Request Method: POST
Status Code: 400 
Remote Address: 2.17.140.171:443
Referrer Policy: strict-origin-when-cross-origin

Response Headers

cache-control: max-age=0, no-cache, no-store, must-revalidate
content-length: 477
content-security-policy: default-src 'self' https://*.paypal.com https://*.paypalobjects.com 'unsafe-inline' 'unsafe-eval'; connect-src 'self' https://*.paypal.com https://*.paypalobjects.com https://*.qualtrics.com; script-src 'self' https://*.paypal.com https://*.paypalobjects.com 'unsafe-inline' 'unsafe-eval'; frame-src 'self' https://*.paypal.com https://*.paypalobjects.com https://*.cardinalcommerce.com https://*.qualtrics.com; img-src https: data:; form-action 'self' https://*.paypal.com https://*.cardinalcommerce.com; base-uri 'self' https://*.paypal.com; object-src 'none'; block-all-mixed-content;; report-uri https://www.paypal.com/csplog/api/log/csp
content-type: application/json; charset=utf-8
date: Wed, 31 Mar 2021 10:57:55 GMT
dc: phx-origin-www-1.paypal.com
etag: W/"1dd-PCgk17aCFosoAOdUfcJ2eD6QiiM"
paypal-debug-id: 5d9937b9701fc
set-cookie: enforce_policy=gdpr_v2; Max-Age=31536000; Domain=.paypal.com; Path=/; Expires=Thu, 31 Mar 2022 10:57:55 GMT; Secure; SameSite=None
set-cookie: cookie_prefs=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; SameSite=None
set-cookie: cookie_prefs=T%3D1%2CP%3D1%2CF%3D1%2Ctype%3Dexplicit_banner; Max-Age=31536000; Domain=.paypal.com; Path=/; Expires=Thu, 31 Mar 2022 10:57:55 GMT; Secure; SameSite=None
set-cookie: x-pp-s=eyJ0IjoiMTYxNzE4ODI3NTExMCIsImwiOiIxIiwibSI6IjAifQ; Domain=.paypal.com; Path=/; HttpOnly; Secure; SameSite=None
set-cookie: x-csrf-jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbiI6InpNOTJKdjNUQk5XSTVtUWMtVk5Iajl2cVUzV0RWTHlhWThyVFRLOVBVT0ZaU3ZLVFg4b052WmRpQm9LUnJLTFp5NGFlUzBlU2JaOFRSQmI3OGdkdkpxWFlLZmVKRTI4Nm1NUTZySlYxb3ZvTWlqbU1CWndLVWJNVXU5QVFkNnNLMFNQUHNKV201OU1nMEViQmxvVnRreFZ5UkhyYzF5QndRX19ENDZuQWhyRXg3R2J3SkRsODNBRU1BZ0MiLCJpYXQiOjE2MTcxODgyNzUsImV4cCI6MTYxNzE5MTg3NX0.TIt4J4zYOv46V_tdUBdMh_Qw1_zXrmmJBFxMp98U3-E; Domain=.paypal.com; Path=/; Expires=Wed, 07 Apr 2021 10:57:55 GMT; HttpOnly; Secure; SameSite=None
set-cookie: l7_az=dcg14.slc; Path=/; Domain=paypal.com; Expires=Wed, 31 Mar 2021 11:27:55 GMT; HttpOnly; Secure; SameSite=None
set-cookie: ts=vreXpYrS%3D1711882674%26vteXpYrS%3D1617190074%26vr%3D64ed90e41780a48f12706c19f7edbfa1%26vt%3D87e554a81780ad0452ba4611ff12d2a4%26vtyp%3Dreturn; Path=/; Domain=paypal.com; Expires=Sat, 30 Mar 2024 10:57:55 GMT; HttpOnly; Secure; SameSite=None
set-cookie: ts_c=vr%3D64ed90e41780a48f12706c19f7edbfa1%26vt%3D87e554a81780ad0452ba4611ff12d2a4; Path=/; Domain=paypal.com; Expires=Sat, 30 Mar 2024 10:57:55 GMT; Secure; SameSite=None
set-cookie: x-cdn=akamai; path=/; domain=.paypal.com; secure
set-cookie: akavpau_ppsd=1617188875~id=ec9ace54472ec90ac4d21553c8f7b468; Domain=www.paypal.com; Path=/; HttpOnly; Secure; SameSite=None
strict-transport-security: max-age=63072000
x-content-type-options: nosniff
x-csrf-jwt: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbiI6IkFLbnNfRmI4X1FCbk1BY3JicVg0N1hfNW1wOTZJdnlpRm8tbW9ZN1dBeF9ULUlqNy10TWNTUDhwdUtUQ3ZQbExoRlpodDhvTlFINzNmbHpYS2NvMVJ5MFluSVAtREhOZ0xSSGVRLTd0ekFOemdZUnF2RGt5OFJqbE9IUVRxQXZXRVlBbVhvUEVWQjZNaTJJUFdGa0t0aTFYSnpudXkzS2daUlpJb2dlZHBNM1dJQ19xNWg3dWJSa2pSMk8iLCJpYXQiOjE2MTcxODgyNzUsImV4cCI6MTYxNzE5MTg3NX0.HHR4G6wt7trB8Tay6S4Kx8VKqVadYklrVjH03u9AF8w
x-csrf-jwt-hash: f2527332411817d44f2014fd6e02276e524de88ab17b95955bee59bd811df9b9
x-edgeconnect-midmile-rtt: 160
x-edgeconnect-origin-mex-latency: 220
x-xss-protection: 1; mode=block

and

General

Request URL: https://www.paypal.com/webapps/helios/api/checkout/83T90328GR130744R/session/clear3DSContingency
Request Method: POST
Status Code: 400 
Remote Address: 2.17.140.171:443
Referrer Policy: strict-origin-when-cross-origin

Response Headers

cache-control: max-age=0, no-cache, no-store, must-revalidate
content-length: 502
content-security-policy: default-src 'self' https://*.paypal.com https://*.paypalobjects.com 'unsafe-inline' 'unsafe-eval'; connect-src 'self' https://*.paypal.com https://*.paypalobjects.com https://*.qualtrics.com; script-src 'self' https://*.paypal.com https://*.paypalobjects.com 'unsafe-inline' 'unsafe-eval'; frame-src 'self' https://*.paypal.com https://*.paypalobjects.com https://*.cardinalcommerce.com https://*.qualtrics.com; img-src https: data:; form-action 'self' https://*.paypal.com https://*.cardinalcommerce.com; base-uri 'self' https://*.paypal.com; object-src 'none'; block-all-mixed-content;; report-uri https://www.paypal.com/csplog/api/log/csp
content-type: application/json; charset=utf-8
date: Wed, 31 Mar 2021 10:57:56 GMT
dc: phx-origin-www-1.paypal.com
etag: W/"1f6-AvJ2sqQswE251OZ1PTs3yJOewDs"
paypal-debug-id: dc051a9676ef9
set-cookie: enforce_policy=gdpr_v2; Max-Age=31536000; Domain=.paypal.com; Path=/; Expires=Thu, 31 Mar 2022 10:57:55 GMT; Secure; SameSite=None
set-cookie: cookie_prefs=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; SameSite=None
set-cookie: cookie_prefs=T%3D1%2CP%3D1%2CF%3D1%2Ctype%3Dexplicit_banner; Max-Age=31536000; Domain=.paypal.com; Path=/; Expires=Thu, 31 Mar 2022 10:57:55 GMT; Secure; SameSite=None
set-cookie: x-pp-s=eyJ0IjoiMTYxNzE4ODI3NTYyMSIsImwiOiIxIiwibSI6IjAifQ; Domain=.paypal.com; Path=/; HttpOnly; Secure; SameSite=None
set-cookie: x-csrf-jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbiI6InA2OXdaWWdTc1Bfa0d2NG42LVp5VDlOYjEyMF9LcnRiYjhCSEtQX2M2MUhvWmVyUk5YbXhDdHlpMzEtQ1lrRE5GMUxKblpjTXRQNkJhMVk0NEo5ZzU4bXkyMk1fYjN1SURXTmVTR2cwUnJzbl92Q1UxNk5sMVNBY1hPRFBOMkgyOUYyckJqQzRBSGo1LXJMeFJGOUV6bE50US1wNERkLXMxY1RaX1E3czZzYVZxM0hkbzM0dHNNcTVjQk8iLCJpYXQiOjE2MTcxODgyNzUsImV4cCI6MTYxNzE5MTg3NX0.QRxuuY0WTAxfrr-YD20kHGrmYoMtf68HPu85axDF4Qc; Domain=.paypal.com; Path=/; Expires=Wed, 07 Apr 2021 10:57:55 GMT; HttpOnly; Secure; SameSite=None
set-cookie: l7_az=dcg14.slc; Path=/; Domain=paypal.com; Expires=Wed, 31 Mar 2021 11:27:56 GMT; HttpOnly; Secure; SameSite=None
set-cookie: ts=vreXpYrS%3D1711882675%26vteXpYrS%3D1617190075%26vr%3D64ed90e41780a48f12706c19f7edbfa1%26vt%3D87e554a81780ad0452ba4611ff12d2a4%26vtyp%3Dreturn; Path=/; Domain=paypal.com; Expires=Sat, 30 Mar 2024 10:57:56 GMT; HttpOnly; Secure; SameSite=None
set-cookie: ts_c=vr%3D64ed90e41780a48f12706c19f7edbfa1%26vt%3D87e554a81780ad0452ba4611ff12d2a4; Path=/; Domain=paypal.com; Expires=Sat, 30 Mar 2024 10:57:56 GMT; Secure; SameSite=None
set-cookie: x-cdn=akamai; path=/; domain=.paypal.com; secure
set-cookie: akavpau_ppsd=1617188876~id=afd894e1916b2c1aca2a5ac9cf916c1e; Domain=www.paypal.com; Path=/; HttpOnly; Secure; SameSite=None
strict-transport-security: max-age=63072000
x-content-type-options: nosniff
x-csrf-jwt: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbiI6IkZRWVp0U0tzQ1RyTExuN3BrZ2Z6eGU0TTNqNEpOZ2RBREt6UzRUM1ZkcEZRaXExbXVUb1pqQ1ZLVVRFb1h1ZngwOFpiN09RVlZuVE9sNWh3WU4yeGFsZTRGUmZsLVhCZVdkd0dKVjVkbWtyNGJxdVZMVlRieENRUkx4SEtQeXVNQWFzaktRY2dXUXQxWXB6YWExVmlCeHJxMFc4LUVSX21KOERranJzWmFVdkFrSVh1cjRjS3dvdGZNSWEiLCJpYXQiOjE2MTcxODgyNzUsImV4cCI6MTYxNzE5MTg3NX0.NrhhEi6Pk2xNCskmIUvqRBiBVKbvo2nv0W7ZjUUE79o
x-csrf-jwt-hash: 04c44dce1db758b9a87b32491486597340a5a1f359df17d18e7adc2184f4d4ed
x-edgeconnect-midmile-rtt: 158
x-edgeconnect-origin-mex-latency: 683
x-xss-protection: 1; mode=block