Certificate retrieved from KeyVault Error

[kisalay19]

I am working in setting an inbound policy to read the certificate from Key Vault and forward it to the backend under API Management.

When I upload the certificate in APIM itself and use the below line with thumbprint I am able to get a valid response,

<authentication-certificate thumbprint="......" />

When I upload the same certificate in Key Vault and add my policy accordingly. I am able to read the certificate body but when passing it to backed I get the error as per APIM trace "Certificate does not have private key". Below is my APIM policy code for reference :

<cache-lookup-value key="TestCertificate" variable-name="keyVaultCertBase64" />
        <choose>
            <when condition="@(!context.Variables.ContainsKey("keyVaultCertBase64"))">
                <send-request mode="new" response-variable-name="keyVaultCertResponse" timeout="20" ignore-error="false">
                    <set-url>https://testcertvault.vault.azure.net/certificates/TestCertificate/import?api-version=7.1</set-url>
                    <set-method>GET</set-method>
                    <authentication-managed-identity resource="https://vault.azure.net" />
                </send-request>
                <!-- transform response to string and store in cache -->
                <set-variable name="keyVaultCertBase64" value="@(((IResponse)context.Variables["keyVaultCertResponse"]).Body.As<JObject>()["cer"].ToString())" />
                <cache-store-value key="TestCertificate" value="@((string)context.Variables["keyVaultCertBase64"])" duration="3600" />
            </when>
        </choose>
        <authentication-certificate body="@(Convert.FromBase64String((string)context.Variables["keyVaultCertBase64"]))" />
        <set-backend-service base-url="......." />

I get the same error in track if I update the <set-url> value

<set-url>https://coloclientcert.vault.azure.net/secrets/ColoCertificate/?api-version=7.1</set-url>

Any idea what I am missing.