The reason is that keys are not the same as addresses, and it is not a one-to-one mapping of pubkey to address. There are multiple addresses for a single pubkey as there are multiple address types. The purpose of descriptors is to make it clear which address type to create. However you've completely bypassed that by taking the key out of the descriptor and trying to compute the address manually. The reason you don't get the same address is most likely because you have chosen the wrong address type.
I see that you've referred to my reply there.
Since you've successfully derived the correct public key, the issue is the selected tab under derivation path:
IanColeman's BIP39 tool has reserved different address type per tab,
Where the standards "BIP44", "BIP49" and "BIP84" tabs derive legacy, nested-SegWit and native-SegWit respectively.
While in "BIP32" tab, it'll default to legacy no matter what the derivation path is; and in "BIP141" tab, it'll derive the one selected in "Script Semantics" drop-down menu.
Through your explanations, I think I finally understood. It was in front of my eyes all the time. My hdkeypath starts with "m/84". This means that it is an address in BIP84 format. Gosh, now I understand what those numbers in front of the paths mean. IanColeman's BIP39 tool generates all addresses, pubkeys and privkeys. Great.
Is BIP84 ok? Can I use such an address normally on an online exchange like Kraken? I did nothing else. Bitcoin Core has chosen this format itself. Thus, I would hope that it is a common standard.
When I call "listdescriptors true" I get 8 entries, but they all have the same xprivkey. If I call "listdescriptors" I also get 8 entries, but with a total of 4 xpubkeys. IanColeman's BIP39 tool also shows me one xpubkey out of the four. In the line "Account Extended Public Key".
With this xpubkey I can then make myself a watch-only wallet right? Can I then also create unsigned transactions with the watch-only wallet, which I then sign on my cold wallet?
I will of course never transfer a private key to the watch-only wallet. Another thing I'm wondering: Aren't hd wallets easier to crack? After all, you "only" have to guess a private child key and then you can use the xpubkey to calculate the xprivkey. Right?