OCSP must staple can fail on incorrect certificate list under TLS1.3
When a server chain is received that contains:
1. [server cert] || [ocsp response] 2. [server cert] 3. [ca cert]
and the server cert has the extension that requires an OCSP response, then gnutls will fail to verify that chain.
The code that enforces it goes through the list of the certificates as sent by the server and enforces the flag. It fails at point (2) because the certificate is not accompanied by a corresponding response. Indeed the response was previously sent in step 1, so gnutls could have used it.
We could introduce some logic to handle it, though I am not sure whether the problem is significant enough to warrant additional complexity.