Hi @Celia Navarro , As discussed earlier It is not possible to perform client certificate authentication without a private key for example consider postman as a client and you must provide a private key. If postman doesn't have the private key, it cannot perform client certificate authentication with APIM.
you mentioned that you were getting 403 forbidden error when you attach the public certificate, If there is not private key the certificate will not be sent in the request and hence it resulted in 403 response code.
Using OCP-APIM-trace you can verify if the certificate is added to the incoming request or not.
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-api-inspector#trace-a-call
let me know incase of further queries, I would be happy to assist you.
Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.