Hi,
We had the same issue, we ended up with Hybrid Azuread Joining the devices instead which solves the problem as well, switching to HTTPS in the site will of course also solve the problem.
This topic was discussed at the AMA at an online event two weeks ago called WPNinjas.eu and I believe the response from the PG was that it is by design and it will try to use the Cert. Workaround Hybrid AzureAD Join or HTTPS.
And yes, the CM client will try to use a cert in the Personal Store of the device.
Regards,
Jörgen