Apologies for the delay in response.
For certificates ensure that the Private Key is present on the originating call and the public key on the recipient.
If you are able to use Managed Identity on your functions you can remove certificate altogether in favor of JWTs in the Authorization header and callers verifying each other by the App ID. One huge advantage is the App ID never changes or expires and can't be hijacked by another user. Your certificate is only as secure as the last person to leave it on an open file share or Key Vault to lax permissions.
Please let me know if this works for you.
