I'm using the chip to sign a digest (with optiga_crypt_ecdsa_sign from the the Crypt API) and need to verify the signature on the server side.

What is the length of the signature? In the mbedtls example you use 110, some places 70 or 80. In what format is the signature encoded?

I assumed it was DER, but when trying to decode it with ecdsa-python the procedure fails with "trailing junk after the signature"

the signature has the following form:

0x000000: 02 20 38 0f 56 c8 90 53 18 9d 8f 58 b4 46 35 a0 . 8.V..S...X.F5.
0x000010: d7 07 63 ef 9f a2 30 64 93 e4 3d bf 7b db 57 a1 ..c...0d..=.{.W.
0x000020: b6 d7 02 20 4f 5e 3a db 6b 1a eb ac 66 9a 15 69 ... O^:.k...f..i
0x000030: 0d 7d 46 5b 44 72 40 06 a5 7b 06 84 0f d7 6e 0f .}F[Dr@..{....n.
0x000040: 4b 45 7f 50                                     KE.P 

Which has two DER encoded integers:
r:

0x000000: 02 20 38 0f 56 c8 90 53 18 9d 8f 58 b4 46 35 a0 . 8.V..S...X.F5.
0x000010: d7 07 63 ef 9f a2 30 64 93 e4 3d bf 7b db 57 a1 ..c...0d..=.{.W.
0x000020: b6 d7

s:

0x000020:       02 20 4f 5e 3a db 6b 1a eb ac 66 9a 15 69 ... O^:.k...f..i
0x000030: 0d 7d 46 5b 44 72 40 06 a5 7b 06 84 0f d7 6e 0f .}F[Dr@..{....n.
0x000040: 4b 45 7f 50   

Different crypto libraries work with signatures differently, in general it's required to append a couple of bytes to this signature: SEQUENCE tag which is 0x30 and a length of the sequence, which is in this case is 0x44

For the python-ecdsa I'd recommend to do the following
Sample code is below:

    hash = "Hash of the data you want to verify"
    r = 0x380f56c89053189d8f58b44635a0d70763ef9fa2306493e43dbf7bdb57a1b6d7
    s = 0x4f5e3adb6b1aebac669a15690d7d465b44724006a57b06840fd76e0f4b457f50
    signature  = Signature(r, s)
    pubkey.verifies( hash, signature ):