Exchange Hybrid sending external email from on-premises

I have an Exchange 2019 server setup as our hybrid server. Mail flow works fine to any mailboxes moved to Exchange Online, inbound from the Internet is delivered successfully to on-premises mailboxes. Where we're having trouble is trying to send email to the Internet from an on-premises mailbox. My preference is to route all email through Exchange Online, so in addition to the Send connector the Hybrid wizard created, I created a second connector using the * SMTP space and sending to our smarthost, aka the record in the MX value from Exchange Online. I also gave this connector a cost of 2 so it still uses the default send for email going to our tenant.

Any email that isn't going to our tenant, so domain.mail.onmicrosoft.com, is immediately rejected with the error "Remote Server returned '550 5.7.64 TenantAttribution; Relay Access Denied [ValidationStatus of 'CN=SERVER' is UntrustedRoot]"

The Exchange Online connector from our Org to O365 is set to use subject name of certificate, .ourdomain.com. I even tried setting it to the external IP the emails would come from and that failed as well. One thing I noticed in the send log, the subject name of the cert is mail.ourdomain.com, not *.ourdomain.com as shown in the example from this URL. So, I even tried updating the EXO connector to look for the subject name mail.ourdomain.com and still no luck.

https://learn.microsoft.com/en-us/exchange/troubleshoot/email-delivery/ndr/relay-access-denied-smtp

I also tried the steps here.

https://learn.microsoft.com/en-us/exchange/troubleshoot/email-delivery/ndr/tenantattribution-ndr

What could I be missing?