I had the same issue and I fixed it by adding "trustedCertificateSubjects" to the "App registration" Manifest.
"trustedCertificateSubjects": [
{
"authorityId": "00000000-0000-0000-0000-000000000001",
"subjectName": "XXX.XXXXXXXXXXXX.aad.XXXXXX.XX"
}
]
You should update the "subjectName" with your certificate "Subject" (the value after the CN=) or with the "Subject Alternative Name". The certificate should be in your KeyVault.