Well... the problem is quite evident; many of these are various control or otherwise special characters.
The
%
,
&
,
#
, and
/
should be visible to anyone who has looked at a URL as separators, fragment identifiers, routing, and escape characters.
I personally would not use GET with a password, as it is just going to be a part of the URL and is subject to browser caching and logging within the server logs.
The solution can be quite evasive to find; especially if you intend on keeping this as a GET method.
In Net Framework, you could work with various elements in the web.config file to relax the various character restrictions, I do not know how to do in a Net.Core/Kestrel environment at this time.
Hopefully the following config references can guide you
Look here:
<system.web>
<httpRuntime
And here:
<system.webServer>
<security>
<requestFiltering allowDoubleEscaping="true">