Unable to find certificate -- not sure where I'm going wrong

Hi! Firstly, thank you for this tool. Secondly, this is a low priority issue, and I’m 98% sure it’s my fault, so if you happen to be able to point me in the right direction, I’d appreciate it.

Background / Goal

I recently bit the bullet got an Authenticode cert to sign an office add-in I want to publish.

Goals:

• Use AzureSignTool within an AzureDevOps pipeline to sign the setup.exe file produced by my build process.
• Double-check that this is “enough” in this case.

What I’ve Done

• Obtained the cert
• Uploaded the cert into an Azure KeyVault I created
• Registered an app in my Azure AD
• Granted the app access to the Azure KeyVault
• Used the app ID as my client ID and a generated client secret as my secret.
• Installed AzureSignTool as a global tool within my pipeline steps:

- task: DotNetCoreCLI@2
  inputs:
    command: 'custom'
    custom: 'tool'
    arguments: 'install --global azuresigntool'
  displayName: Install AzureSignTool

• Called the AzureSignTool from the command line (info redacted);

- task: CmdLine@2
  displayName: 'Sign outputted .exe with AzureSignTool'
  inputs:
    script: "AzureSignTool.exe sign -du 'https://killeencode.com' -kvu 'https://[REDACTED].vault.azure.net' -kvi '[REDACTED]' -kvs '[REDACTED]' -kvc '[REDACTED]' -v setup.exe"
    workingDirectory: '$(Build.ArtifactStagingDirectory)'

The Problem

No matter what, AzureSignTool appears unable to find the cert:

trce: AzureSignTool.Program[0]
      Retrieving certificate '[REDACTED]'.
fail: AzureSignTool.Program[0]
      Failed to retrieve certificate '[REDACTED]' from Azure Key Vault. Please verify the name of the certificate and the permissions to the certificate.
info: AzureSignTool.Program[0]
      Failed to get configuration from Azure Key Vault.
##[error]Cmd.exe exited with code '-2147024809'.

What I’ve confirmed (or so I think)

• The KeyVault URL is correct – copied it directly from portal
• The application ID from my Azure AD app registration is being used as the input to -kvi
• The client secret for my application in AD is being used as the input to -kvs
• The cert name is correct (copied from keyvault in portal)
• The application’s service principal has permissions on the key vault (Owner for now)
• In the KeyVault’s access policy, the application’s service principal has every single permission (for now, to remove this as a variable)

Things I think it could be

The DevOps pipeline is under a different account than the azure subscription, and thus a different directory. I am wondering if the DevOps pipeline isn’t able to access the keyvault across subscriptions? Although with the client ID and secret, I thought that’d be mitigated.

Any insight into what it could be would be greatly appreciated; I’m somewhat new to this and I’ve exhausted the other resources I’m aware of. Hoping someone with more experience here can spot it quickly,