RRAS trouble with certificate based L2TP on Server 2016

We have two Server 2008 R2 servers running RRAS supporting L2TP VPN for our employees using an internal CA structure. The computers names don't match the certificate name, but match external DNS, so they haven't given us a problem. We are now in the process of replacing these with Server 2016 boxes. All of these servers have two certificates - one with the actual server name (Client & Server Auth purposes), and one with the external DNS name (Server Auth & IKE intermed). One of the new servers is up and running just fine with certificate L2TP connections. The other one, for some reason, doesn't want to work.

It seems like it want to present the incorrect certificate. When a client (win10 or Win7) tries to connect with certificate L2TP, it gets error 835 (fields cannot be validated). If I delete the cert for the actual server name, the L2TP connection works - until the GPO that auto-enrolls runs again. Doesn't make sense since the other new server doesn't have the problem at all, and all the settings seem identical.

I know I could work around the issue by unselecting the "Verify the Name and Usage of server's certificate" on the client, but I really don't want to do that in general, and don't want to make a change to the VPN client GPO.

Googling around doesn't seem to help too much because most of the articles I'm finding are only about PSK L2TP. I find stuff about setting the certificate in NPS authentication settings, but my understanding is that is only for user authentication, after the machines have already established the L2TP tunnel (or am I wrong). Either way, that is set to the correct certificate.