Hello @Umair Syed - My apologies for the delayed responses.
It's not that APIM requires the private key in any proprietary or arbitrary way, it is because the particular protocol used under the covers, which is mutual TLS (Client Certificate Authentication), requires the private key to be involved during handshake for the purposes of validating the certificate presented by a client. Here's a nice read on the handshake: https://textslashplain.com/2020/05/04/client-certificate-authentication/
Coming back to APIM, the following blog post details how APIM uses certificates and where they are used in a simpler, organized manner: https://techcommunity.microsoft.com/t5/fasttrack-for-azure/using-certificates-in-azure-api-management/ba-p/2888447
Upon examining the blog, you'll find that mutual TLS is discussed for the "Client certificate to secure access to the APIs for Self-hosted Gateway" scenario which is what you're in the process of implementing. As you may already have reviewed, the official doc on exact steps are here: Secure backend services using client certificate authentication in Azure API Management
For different certificate-related scenarios where you need to supply pfx
, you may generate the pfx without the private key. The following Stackoverflow post may be helpful in generating one: How to create .pfx file containing only one of private/public key
I hope this is still helpful, please let me know if any further questions on this topic.