@Howard Smith Thank you for posting this in Microsoft Q&A. For every application that you register in Azure AD, there is a service principal that gets created under enterprise applications. For multi-tenant applications, the application is registered in only one tenant. There is a service principal that get's created in all other tenant, whoever is provisioning this application. There is no application that get's registered in other tenants. Now, the token signing certificate is different for different tenants. Usually, token signing certificate is used for signing the token which is sent by Azure AD to the application post authentication. Before accessing the token, application will validate the signature of the certificate. This certificate is different for different tenants. Yes, you can download the certificate from Application registered tenant and upload it to other tenant where service principal is created.
Let me know if you have any further questions on this. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.