The Kerberos/SASL auth error document that is returned by the authentication command to the client should be made more verbose.
One example is:
// saslServerConnAuthorize in sasl_authentication_session.cpp sasl_seterror(conn, 0, "saslServerConnAuthorize: ", "Requested identity not authenticated identity");
that could include the names of the two mismatching identities.