Setting up CES and CEP PKI in a trusted forest scenario

Question

I have two domains with a two-way forest trust. I want computer accounts in DomainB to enroll for computer client auth certificates from the two-tier Windows CA in DomainA. I configured a certificate cert template in the issuing CA for this and gave Read and Enroll rights to the computer in DomainB.

I configured the issuing CA in DomainA for the Certificate Enrollment Policy Web Service and Certificate Enrollment Web Service according to the Microsoft documentation. CEP and CES are using Kerberos authentication using a domain service account with an SPN and configured for Kerberos delegation. The service account is a member of the IISUsers group and has Request Certificates rights on the issuing CA.

To test, I'm using Cert Manager on a DomainB Win10 computer to manually configure an Enrollment Policy using the CEP URI, but get the error, "Access was denied by the remote endpoint". It does complete properly if I remove the SPN and Kerberos delegation for HOST and RPCSS on the service account.

If I then try to request a new certificate for the computer in DomainB, I can see the issuing CA but it says Certificate types are not available even though the computer has Read and Enroll rights. Logging tells me nothing, other than it can see the certificate template.

Any ideas WTH I'm doing wrong here? This should work using Kerberos auth, right? The CES service account should have Kerberos delegation configured, right?