Let's start by checking the current device registration status.
dsregcmd /status
Check the SSO State section. Do you see "AzureAdPrt : NO" and "Credential Type : Certificate"?