TTN will record and reject all DevNonces the device ever used before, so make sure you’re not testing with values that start at zero. See OTAA shows "Activation DevNonce not valid: already used" - #13 by arjanvanb for a workaround. (Also, an incremental DevNonce sounds like a LoRaWAN 1.1 device. The TTN community network uses 1.0.2, but 1.1.x devices should be backwards compatible.)
A Join Request should not hold the secret AppKey. It should include a MIC (calculated using the secret AppKey), like any message. Is that what you mean, and is that what you validated to be correct? You can validate the MIC of an OTAA Join Request using this online decoder and set a dummy value for NwkSKey, and paste your AppKey as known in TTN Console as the AppSKey.
Do you think that the AppEUI and DevEUI you got with the device are unique? (They should be. And they are not secret.)