Azure Key Vault VM Extensions Version 3.0 not deploying KeyExportable: true or Accounts: Network Service

Question

I am setting keyExportable to a certificate in Azure Key Vault VM extensions and it is not getting set to exportable on the test VM following a successful deployment. Any help would be greatly appreciated.

I am using version 3.0 to mark the private key as exportable as well as access for Network Service accounts. The deployment succeeds. When I check key vault service, the certificate says it is exportable. I have tried to give my msi identity max permissions as well:

"name": "servicename-msi-test-eastus2-testslice",
                    "resourceGroup": "servicename-identity-test",
                    "subscriptionId": "xxxxxxxxxxxxxxxxxxxxxxxxx",
                    "permissions": {
                        "keys": [
                            "get",
                            "create",
                            "import",
                            "delete",
                            "update",
                            "encrypt",
                            "decrypt",
                            "sign",
                            "verify",
                            "wrapKey",
                            "unwrapKey",
                            "list",
                            "backup",
                            "restore"
                        ],
                        "secrets": [
                            "get",
                            "set",
                            "delete",
                            "list",
                            "backup",
                            "restore"
                        ],
                        "certificates": [
                            "get",
                            "create",
                            "import",
                            "delete",
                            "update",
                            "list",
                            "backup",
                            "restore",
                            "setissuers",
                            "managecontacts",
                            "manageissuers"
                        ]

Below is a code snippet of the ARM template.

 {"accounts": [], "name": "/subscriptions/<%- location.subscriptionId ?? subscriptionId %>/resourceGroups/<%- regionKvRG %>/providers/Microsoft.KeyVault/vaults/<%- regionKvName %>/secrets/secret1", "keyExportable": false},
                {"accounts": ["Network Service"], "name": "/subscriptions/<%- location.subscriptionId ?? subscriptionId %>/resourceGroups/<%- regionKvRG %>/providers/Microsoft.KeyVault/vaults/<%- regionKvName %>/secrets/cert1", "keyExportable": true},
                {"accounts": ["Network Service"], "name": "/subscriptions/<%- location.subscriptionId ?? subscriptionId %>/resourceGroups/<%- regionKvRG %>/providers/Microsoft.KeyVault/vaults/<%- regionKvName %>/secrets/cert2", "keyExportable": true},
                {"accounts": [], "name": "/subscriptions/<%- location.subscriptionId ?? subscriptionId %>/resourceGroups/<%- regionKvRG %>/providers/Microsoft.KeyVault/vaults/<%- regionKvName %>/secrets/secret2", "keyExportable": false},