We use `application/json` on our JWK URLs and as you says that appears to work correctly, I haven't tried switching to `application/jwk-set+json`. Looking in RFC 7517 it does define the new content types in section 8 of the RFC https://datatracker.ietf.org/doc/html/rfc7517#section-8.5, however it only states "which can be used to indicate that the content is a JWK or a JWK Set".
The RFC does specify that a content type MUST be used if using and encrypted JWKS, but as you're just sharing public keys there's no need for the encryption.
Checking other services it doesn't look like anyone else big uses this MIME type for the JWKS:
❯ curl -sv https://canvas.instructure.com/api/lti/security/jwks 2>&1 | grep -i content-type:
< content-type: application/json; charset=utf-8
❯ curl -sv https://www.googleapis.com/oauth2/v3/certs 2>&1 | grep -i content-type:
< content-type: application/json; charset=UTF-8
❯ curl -sv https://login.microsoftonline.com/common/discovery/v2.0/keys 2>&1 | grep -i content-type:
< Content-Type: application/json; charset=utf-8
❯ curl -sv https://www.facebook.com/.well-known/oauth/openid/jwks/ 2>&1 | grep -i content-type:
< content-type: application/json; charset=utf-8
So it looks like most people just use `application/json` for the content-type header.
