Is this the only thing you have in the log file? I just had another look in the code.
At the same time server2 creates this log message (and the same, the other way around):
{"reqId":"6F\/v9WQCsaouF2xPUWRO","remoteAddr":"","app":"federation","message":"https:\/\/cloud.server1.org refused to ask for a shared
server1 should create one of this log message:
Either:
remote server not trusted (https://cloud.server2.org) while requesting shared secret
Or:
remote server (https://cloud.server2.org) presented lower token. We will initiate the exchange of the shared secret.
because this are the two situations we return a 403 which will lead to the other message you posted. If non of the two messages show up in your look file, there seems to be another code path on your system which results in a 403.