Unable to authenticate with MSAL using a certificate

Switching the key storage flag to a persistent or exportable option fixed the issue immediately. Instead of using the ephemeral key set, I created the certificate instance using either X509KeyStorageFlags.Exportable or X509KeyStorageFlags.MachineKeySet. Once the private key was properly loaded, authentication with both SharePoint and Microsoft Graph API started working as expected. For anyone else facing this issue, make sure that cert.HasPrivateKey returns true at runtime, confirm that the system time is accurate (since even a small time skew can cause misleading AADSTS errors), and verify that the certificate chain is fully trusted on the local machine. It’s also best to avoid relying on EphemeralKeySet unless necessary, as it behaves inconsistently across different Windows 11 versions. In short, this wasn’t a problem with Azure AD or MSAL configuration—it was a Windows 11-specific issue related to how ephemeral certificate keys are handled. Using MachineKeySet or Exportable resolved the authentication problem completely.

new X509Certificate2(certBytes, password, X509KeyStorageFlags.MachineKeySet);
or 
new X509Certificate2(certBytes, password, X509KeyStorageFlags.Exportable);