Commonly, VPN services would force DNS requests to their own DNS servers, in an attempt to prevent DNS leakages.
In your case, that could mean that unbound will never actually talk to authoritative DNS servers, but to NordVPN's DNS servers instead. Consequently, DNSSEC validation of DNS replies will always fail.
If you intend to use NordVPN as a gateway, you may have to forego using unbound.
Alternatively, you may inquire with NordVPN's support whether it would be possible to address this via NordVPN configuration. However, note that this may leak your unbound's DNS requests outside your VPN tunnel.