When you try to access the multitenant application, there is a service principal that gets created in your tenant.
For example, Tenant A has multitenant application registered. Now when user from Tenant B tries to access the multitenant application, there is one service principal that gets created in tenant B.
If you have configured custom claims for application in tenant A then these claims are passed only when users from tenant A are accessing the application.
If you want tenant B users also to get the custom claims, then you will have to configure these custom claims in tenant B as well.
The certificate that is used in the token will be tenant B certificate.