One thing to note is that if you have an invalid signature, you normally would get an error 400 with a response body, and it would be logged on the server.
Getting an error 500 is quite strange. It could be that the request is malformed. Try upgrading to 0.4.4 as it might give more information in the logs.
Regarding the steps, 3 seems a bit confused. You would have your private key already, which is calculated from the seed (used for admin authentication).
In 3, you need to double SHA256 the mutation bytes (be careful not to be hashing the hex representation of the mutation), then in 5, sign the result of that using your private key.
4 is separate, you just get the public key corresponding to the private key so you can send it to the API endpoint along with the signature (used for verification).
If you show me your code, I can probably tell you if it looks correct.
EDIT: Looking at the code above, it seems the problem might be that you are hashing the hex representation (which is a string) of the mutation instead of the bytes themselves.