After spending most of the day on this exact same issue I hope I will make most of you very happy as I think I have found the solution…
As with everyone else, the X1 certificate was nowhere to be found yet IIS managed to serve it in the chain.
After a lot of head banging I finally found the one place no one had looked before. The user certificate store for the Local System account. That’s right - there is such a thing and it is not the same as the computer store.
To get to it, you need to download PsTools from SysInternals and run psexec -i -s mmc.exe, go to File -> Add-Remove Snap-in, choose Certificates and My user account. Now go into Intermediate Certificate Authorities and you should find that elusive X1 certificate hiding there.
It might be enough to remove the X1 and then restart IIS, but I ended up adding X3 certificate here just to be sure (right click on the certificate list - click All Tasks -> Import and choose the X3 file).
After this you need to “touch” the bindings in IIS (for example, change the certificate and then back again or delete/add the binding) and after IIS is then restarted it will finally start to serve the correct chain.