Thank you for the detailed description and the screenshots. For the CMG certificate, we may have something to check, for example, the purpose should contains server authentication, the service name, the deployment name, etc.
For the requirement, we may read through this article.
Here's also a nice video from former Sr PFE at Microsoft and we can follow this to check every single step to check if we miss anything.
Note: this is just for your reference.
Hope the above information helps.
If the response is helpful, please click "Accept Answer" and upvote it.