Nailed it! I had 2 problems;
- My mistake, I didn´t export Root CA and did not set it when creating CMG. I had to delete previous Resource Group from Azure and I created new CMG instance with root ca inserted and without CRL check because I don´t have it in public.
- From here I learned, that the registry key was missing from MP even if CMW traffic was cheked in MP properties. See last post: https://learn.microsoft.com/en-us/answers/questions/122165/clients-not-communicating-with-cmg.html