Integrating Vault and Keycloak - JWT

Hello!
I’m trying to integrate JWT logon method. But I stucked in one step. I dont know what i should set in user_claim and user_group in my auth/jwt/role/vault-role.
My settings are looks like this:

/ # vault read auth/jwt/role/vault-role
Key Value
allowed_redirect_uris [http://127.0.0.1:8200/ui/vault/auth/jwt/oidc/callback]
bound_audiences [http://127.0.0.1:8080/auth/realms/test/]
bound_claims
bound_subject 73f4e4d6-8d83-4703-984f-xxx@audience
claim_mappings
clock_skew_leeway 0
expiration_leeway 0
groups_claim e73239eb-14b7-4184-91ff-xxx
not_before_leeway 0
oidc_scopes
policies [default]
role_type oidc
token_bound_cidrs
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies [default]
token_ttl 1h
token_type default
ttl 1h
user_claim *
verbose_oidc_logging false

And jwt config file:

bound_issuer http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/auth
default_role vault-role
jwks_ca_pem n/a
jwks_url n/a
jwt_supported_algs
jwt_validation_pubkeys
oidc_client_id vault
oidc_discovery_ca_pem n/a
oidc_discovery_url http://keycloak:8080/auth/realms/test

When I tried to logon, I can see button “Sign in with OIDC Provider”, after authenticate I got a error

Token verification failed. sub claim does not match bound subject

group_claim I took from keycloak>Clients>Credentials>Secret
bound_subject from Client Scopes>rolename>Mappers>ID

Could you give me any hints?