Hello Federico Gentile,
Thank you for posting in Q&A forum.
Based on the description, I understand you set up PIV logon to be required by all users in the domain, but now nobody was able to login to the domain anymore. Now one administrator account that had no expiring password policy is still able to login to the PDC. Now you are unable to run any certutil -sc commands.
Based on the description "Whenever it requires a pin to be entered outside the windows logon scenario, the prompt for PIN fails saying "The operation is not permitted due to Computer Policy configuration".", you can try to export computer configurations on problematic machine (see steps below) and try to check the related /corresponding GPO settings (I'm sorry, I can't know the specific policy settings directly, but you can try to find the relevant policy on the machine in question).
Meanwhile, what do you mean "outside the windows logon scenario"? Maybe there are Computer Policy settings to block to use PIN when it is not Windows logon scenario.
For checking Computer Configuration within gpresult, we can follow steps below.
Logon this machine using administrator account.
Open CMD (run as Administrator).
Type gpresult /h C:\gpo.html and click Enter.
Open gpo.html and check gpo setting under "Computer Details".
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.