Welcome to the community and thanks for your detailed question! 
This is a known issue that appeared after Streamlit v1.48, where st.logout() started using the OIDC end_session_endpoint and, by default, sets post_logout_redirect_uri to the base of your redirect_uri (e.g., https://xxxxxx.com/oauth2callback), which may not match your Okta-allowed logout URLs (which expect https://xxxxxx.com). This mismatch causes the 400 error you’re seeing. The behavior and root cause are discussed in detail in Streamlit issue #12169 and Streamlit PR #11901.
Currently, Streamlit does not provide a built-in way to override the post_logout_redirect_uri parameter sent to your OIDC provider. The value is derived from your redirect_uri by stripping /oauth2callback, but this may not always match your Okta configuration. As a workaround, you can manually construct a logout URL for Okta and present it as a link or button in your app, or you can consider downgrading to 1.47.1 or earlier, where this issue does not occur. For more details and community discussion, see the Streamlit forum thread and the Streamlit documentation for st.logout.
Sources: