AP55 won't connect to Central through XGS (SFOS 19.0.1 MR-1-Build365) cause of TLS Handshake Failure

We try to register an AP55 to Sophos Wireless - works like a charm when working without the XGS

When connection the AP55 behind the XGS we always receive a Timeout and the log entry (SSL/TLS inspection):

TLS handshake fatal alert: bad certificate(42).

sophos.com and all necessary other sites and ports are open and excluded from SSL/TLS inspection, equally sophos.com and all other necessary sites are allowed (i can see the log entry in the firewall log  that access to wifi.cloud.sophos.com is allowed) but registration times out.

As we tried to connect without the XGS the AP has the actual updated firmware.

Any ideas which rules/exclusions to build and get the registration running?