From the RFC:
keyAuthorization = token || '.' || base64url(Thumbprint(accountKey))
That's how you compute the key authorization.
A client fulfills this challenge by constructing a key authorization
from the "token" value provided in the challenge and the client's
account key. The client then computes the SHA-256 digest [FIPS180-4]
of the key authorization.
That's the key authorization above, which is the token, a ., and then the base64 thumbprint.
The record provisioned to the DNS contains the base64url encoding of
this digest.
So the DNS record is the sha256 of the keyAuthorization, base64url-encoded.
That looks like what you've written as option 3 above.
If you can't get this to work, I'd suggest using an off-the-shelf library instead of writing your own from scratch, or at least testing with another client to make sure you're computing the same value