Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

Issues getting RDP over ZTNA to work properly with Cloudflare (SSL handshake error)

Hello folks, I'm reaching out for assistance for an issue that I've been working with Sophos Support for over a week that we're having issues trying to fix.  Any helpful information is greatly appreciated.  Here's the scenario:

Prereqs - I've followed all prereq steps to get ZTNA properly installed, also confirmed by Sophos Support.

ZNTA has been properly configured on both firewalls (Office and Cloud) and can properly route our test wep apps on our network using Agentless policy.  All CNAMES are configured properly, etc.   These sites are also available in the resource portal on both gateways.  This also works for connecting to the FW admin webpage over ZTNA.  When I try to change this to agent based, this no longer works.  When digging in the network threat logs, the support agent found a 525 ssl error with the ZTNA agent logs which is quite strange.  This is also valid for both gateways when trying to make an RDP connection over ZTNA.  I've made sure the same wildcard cert and key has been uploaded to each gateway several times, and i've uploaded this cert to cloudflare as good measure.  We've also tried with the changing the A dns record from proxy to dns only with no luck for RDP.  Also reinstalling the ZTNA agent has not helped either.  So right now im at a loss.  It appears the issue is with SSL, but there are no troubleshooting tools available to verify if the cert on the gateway is in use or not. 

Also I done this exact same setup, WITHOUT cloudflare on my home setup running an XG 115 with no issues running on v19.  Both RPD and agentless web apps and godaddy dns works without any issues using the same ssl wildcard cert provider.  Any input is greatly appreciated.