Make sure the time and timezone is correctly set on your device, TOTP is time-dependent and both the server and the smartphone needs to have the same time in order to validate the code.
Lemmy uses SHA256 instead of SHA1 like most other websites using TOTP. Honestly I’m not sure Google Authenticator supports it, as I don’t see the option when attempting to add a key manually.