Comment 33 for bug 1967690

Meanwhile, I'm pretty confident, this is the culprit:

$ iw phy0 info | grep -A9 'Supported Ciphers'
        Supported Ciphers:
                * WEP40 (00-0f-ac:1)
                * WEP104 (00-0f-ac:5)
                * TKIP (00-0f-ac:2)
                * CCMP-128 (00-0f-ac:4)
                * CCMP-256 (00-0f-ac:10)
                * GCMP-128 (00-0f-ac:8)
                * GCMP-256 (00-0f-ac:9)

while for your working config, it's

 Supported Ciphers:
  * WEP40 (00-0f-ac:1)
  * WEP104 (00-0f-ac:5)
  * TKIP (00-0f-ac:2)
  * CCMP-128 (00-0f-ac:4)
  * CCMP-256 (00-0f-ac:10)
  * GCMP-128 (00-0f-ac:8)
  * GCMP-256 (00-0f-ac:9)
  * CMAC (00-0f-ac:6)
  * CMAC-256 (00-0f-ac:13)
  * GMAC-128 (00-0f-ac:11)
  * GMAC-256 (00-0f-ac:12)

For PMF, these are required:

* CMAC (00-0f-ac:6)
* GMAC-128 (00-0f-ac:11)
* GMAC-256 (00-0f-ac:12)

Your RTL provides them, our old Intel miss them.

In theory, these ciphers are supplied easily in software, but this requires some community intelligence to be realized.

@Dirk: no amount of forcing the connection from NM (Security: WPA/WPA2 Personal), then tweaking the connection with nmcli does result in a successful connect.

If forcing the connection security to "WPA3 Personal", the connection settings are:
802-11-wireless-security.key-mgmt: sae
802-11-wireless-security.pmf: 3 (required)

With WPA/WPA2 Personal:
802-11-wireless-security.key-mgmt: wpa-psk
802-11-wireless-security.pmf: 0 (default)

Also tried:
802-11-wireless-security.key-mgmt: wpa-psk
802-11-wireless-security.pmf: 1 (disable)

@B, you can check this yourself with:

$ nmcli connection show

Look up your specific connection.

$ nmcli connection show <uuid>

Specifically:

$ nmcli connection show <uuid> | grep -E 'key-mgmt|pmf'

In my humble opinion, wpa_supplicant should test for sufficient ciphers, and not even try to connect with WPA3 otherwise. Will report this to the wpa_supplicant mailing list, but need to subscribe first...