WHfB with cert-trust-model

Good morning !!!  Hope you had a good start of the day.

I am actually setting up  “WHfB with cert-trust-model”  and  have one quick and binary question. Appreciate your help.

Is "device writeback" mandatory for JUST "Windows-Hello Cert-Trust-Model" ?

I am NOT interested in obtaining enterprise-PRT through ADFS.

Mine is a simple use-case of https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication#hybrid-azure-ad-join-authentication-using-a-certificate

MS has done a good job depicting the flow below but if you focus on the bottom part of the flow where “certificate-creation-request”  is sent from the hybrid-device to  “Certificate-RA”,  my understanding is,  that request  NEED NOT have to be signed by the device-private-key.

Of course  user-key or at least  user-key-receipt  is needed but  cert-generation is NOT dependent on device-writeback.

Later on, if enterprise-PRT through ADFS is requested then definitely device-writeback is mandatory  but that is not I am interested in.

Am I correct in my understanding ?

Thanks.