Problem setting Azure Application Gateway to use certificate held in Azure Key Vault

I'm trying to update an Azure Application Gateway so that it uses a certificate held in an Azure Key Vault rather than uploaded directly into the listener.

The certificate held in the Key Vault was generated using the integration with DigiCert. This appears to have worked correctly.

The problem happens when we try to set a listener to use that certificate. I get an error

Failed to save application gateway changes
Error: problem occurred while accessing and validating KeyVault Secrets associated with Application Gateway

We've checked various things and everything seems to be OK.

• The certificate is in the certificates section of the key vault, it does appear to have an auto generated secret (which I believe holds the PFX). The certificate has a "Secret identifier" which gives a URI to the secrets section, this is what I am expecting to see. We've also queried the contentType of the secret URI using the CLI and got back "application/x-pkcs-12" so it looks good.
• We've made a new managed identity for the gateway and given this, for the moment, pretty much every permission to the key vault though it should just need access to certificates and secrets. The key vault is using access policies for its permissions and not RBAC.
• We've assigned the managed identity to the App Gateway (which was tricky, we had to do it through the CLI, we appear to be missing the Identity blade despite being on a WAF V2 tier).
• We've added the certificate to the "Listener TLS certificates" section of the gateway. This needed the new managed identity and didn't generate an error.
• It's when we try and update the HTTPS listener to use the new certificate that we get the error.
• We've tried restarting the App Gateway and that hasn't given us any changes.

Does anyone have any ideas for what else we could check to get this working?

The solution that we found was to make sure that the certificate was marked as exportable, with this done and then regenerated through Digicert things worked without issue.

We stripped back the permissions to just get and list for the secrets and certificates and it continues to work. So that was unnecessary.