@Zachery Minton , For the error message, it seems there's mismatch when doing authentication. I notice we use user certificate. When we request it manually it is working. But it is not working when request from Intune.
I wonder if our issue is with the certificate subject name. Could you check on one working certificate and one not working certificate to see if the subject is the same?
For the "CN={{UserPrincipalName}}", based on my understanding, it will use the user principal name of the AAD account. For on premise user, I find there are two Subject name format related. one is CN={{OnPrem_Distinguished_Name}} and the other is CN={{OnPremisesSamAccountName}}.Here is a link for the reference:
https://learn.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep#create-a-scep-certificate-profile
If our issue is that the subject name in the two user certificates are not the same, maybe we can consider to change the NPS to authentication the certificate like samaccountname or distinguished name.
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.