I don't work on Monitor webhooks, but from your description of the SHA256 X-esrihook-Signature, it sounds like it's implemented the same as other Esri webhooks (feature service for example). The answer of "how" you validate in the receiver largely depends on the receiver itself. If you're using Power Automate or Make or some commercial receiver, you'll need to investigate what methods they have available.
The basic approach is to build up a string by adding: sha256= to the calculated encoded payload body using the sha256 hash. This provides the calculated signature that you can compare to the X-esrihook-signature.
The follow Python code represents how to do this. (myKey is a variable hardcoded into the script that matches the key you used in the webhook creation)
import hashlib
import hmac
import base64
encodeKey = str.encode(myKey)
signature = 'sha256=' + base64.b64encode(hmac.new(encodeKey, payload,
digestmod=hashlib.sha256).digest()).decode()
if signature == xsigHash:
return True
else:
return False