If you haven't changed any of the default Login logic, then yes: a server action is definitely being called.
Well, it looks like you've checked pretty much everything. As a final sanity check, could you confirm if the "pinning.json" file points to the exact hostname you are trying to pin? Wildcards and sub domains are not allowed, so it must match the hostname you want to validate exactly.
If that checks out, could you please open a support case with us, so we can have a look at what's wrong?
Thank you for your patience, and best regards,
Carlos Simões