Yes,
Recreating the template with an additional setting configured. A step was missing from the documentation (I have sent some contacts the information about this). When you are editing the VPN Adapter, when you are in the smart cord or other certificate properties window (where you select Use a certificate on this computer), there is an Advanced button, select this. You should have a checkbox to select "Certificate Issuer," and then you will choose which certificate issues to be used for this certificate. This will scope it to only look for those from the specific CA.

@Jordan Paris We are having the same issue after migrating our emails to O365. The AD was already on Azure. Can you explain the solution a bit further as dont know which certificate you mean and where it needs to be edited?

You may have solved it already, but others may find this useful..
In addition to Jordans message, I edited the connection by going into Security -> Properties (for the EAP-authentication setting) -> Configure at the "Choose an authentication method" section -> Advanced under the "When I connect" section -> Check the checkbox at the top and select the root certificate provider that will handle these authentications. Go back with the OK-button until it's saved and then it should work. At least it did for me.

Thanks Jordan for pointing me in the right direction!

EDIT: I should point out that the menu options can differ slightly since I had to translate my equivalents into English, but hopefully they will be close enough.

EDIT2: The <TLSExtensions ...> ... </TLSExtensions> is then added to the config when you export the XML.