Thanks; I was eventually able to work through the myriad issues (this one was caused by not noticing that SOGo needs to be told to authenticate to Dovecot using XOAUTH2 using its NGImap4AuthMechanism setting, if anyone else should experience the same problem).
I wasn't able to get Dovecot XOAUTH2 to work with Authentik unless I dropped the profile scope from SOGo (even using the dovecotprofile scope recommended in the Authentik RoundCube documentation didn't work). With either of those scopes in place Dovecot always got 401 errors from Authentik when invoking the tokeninfo_url. I was able to get it to work by having SOGo request tokens with openid email scopes.
In any event, I was eventually able to get Authentik, Dovecot, and SOGo working together using OpenID/XOAUTH2 authentication. Thanks to everyone here for making a great mail server; it's served my family and I well for many years.