For the input value :  (sans indent) 

The online tool at : 
Whereas the "Generate Security Hash" 

 

As well as :  which gives a different answer. 

We find another online tool That gives the same answer as the "Generate Security Hash" assertion.

After printing out the raw characters being hashed we find that the assertion is not ignoring the OA or OD characters.

After a bit of experimenting we see that if the EOL character is OA we get the match of the hash for the first tool, and if the EOL is CR LF we get a match on the hash for the second tool.

So the difference between the hashes is due to different EOL characters in the raw input data. 

 

API Gateway 9.2 
API Gateway 9.3

We found that the difference was in the set-context variables where there was option to interpret end-of-line characters as : 
We find the online tool was generating hash using LF, whereas the default for "set-context variable" was CR/LF

Once we change the set-context variables to use LF as the eol character we matched the hash256 value from the website. 

Printing out the hex of the input values was useful for debugging to determine exactly what value (lf and cr and all ) is being hashed.
 

Printing the hex value of the raw data that is being hashed is a very helpful way to determine which non visible characters are being used - notably here the CR and CR LF characters.  which are OD and OD OA in hex. 
 
Results using CR/LF :
Results using LF :