Damus had dubious logic that would look for the zap request inside of a bolt11 description if it was a description invoice instead of a description hash invoice. Alby hub was creating description invoices and are not committing to the zap request. Damus did not handle this properly. I still think zap implementations should commit the zap request in the description hash, people have given up on validation of any sort except the nostrPubkey == zap pubkey. So yeah thats it in a nutshell if that makes any lick of sense.
That sucks, wish zaps had more auth too
just to mention this, this is not in Alby Hub's hands. This is a limitation of LDK, Phoenixd, also with CLN there are implementation issues and setups like LNBits have issues with that, too. https://github.com/lnurl/luds/pull/234