You don't know who the user is until you verified the integrity of the JWT. Verifiying the integrity requires the secret. Your solution adds the dependency: the secret requires the user. It is cyclic, unsolvable without breaking a constraint.
You could assume the username is correct, then get the secret, validate. But that sounds like something breakable.
You could assume the username is correct, then get the secret, validate. But that sounds like something breakable.