As per https://serverfault.com/a/1033444:

Nginx doesn't support configuring TLS 1.3 cipher suites like this, and you shouldn't, as per RFC 8446, 9.1 there are Mandatory-to-Implement Cipher Suites.

A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256 [GCM] cipher suite and SHOULD implement the TLS_AES_256_GCM_SHA384 [GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites (see Appendix B.4).

Either this limitation should be documented somewhere, or an exception should be added for TLS_AES_128_GCM_SHA256 to not lower the score.