reading https://reference.opcfoundation.org/Core/Part6/v105/docs/6.7.2.5.1
I found something that is not as our stack implements it:

ExtraPaddingSize Byte:
The most significant byte of a two-byte integer used to specify the padding size when the key used to encrypt the message chunk is larger than 2 048 bits. This field is omitted if the key length is less than or equal to 2 048 bits.

What we actually do is omit the field if the MaximumPlainTextSize is less than or equal to 256 bytes.
The problem is that the MaximumPlainTextSize is CipherTextSize - AsymmetricEncryptionOverhead

Where CipherTextSize = (KeyLength + 7)/8
AsymmetricEncryptionOverhead = 11 for Basic128Rsa15
AsymmetricEncryptionOverhead = 42 for Aes128Sha256RsaOaep, Basic256Sha256 and Basic256
AsymmetricEncryptionOverhead = 66 for Aes256Sha256RsaPss

I did a quick test with an RSA certificate of 2064 bits, and was able to connect with .NET, UAExpert, and CTT,
so other vendors did probably also use the MaximumPlainTextSize here.