I had the same problem with my embedded MbedTLS client! Spent the entire day trying to figure out why I got a NOT AUTHORIZED error from the server until I found this post.
I think the HiveMQ team needs to fix this with a proper error code or fail a TLS handshake in the first place. Because it is incredibly confusing since the TLS handshake passes successfully, and the server processes CONNAC packet and then returns CONACK with an error code 5 (NOT AUTHORIZED), with actually has nothing to do with the problem itself!