Verifies the HMAC-SHA256 signature of a webhook payload. Returns true if valid or if no signing secret is configured.