This sounds like a question for @rmbolger : Using Let's Encrypt for Active Directory Domain Controller Certificates - Adventures in Tech
In general you need to ensure all the necessary services have been update/restarted and verify the different services individually.
Windows event viewer (perhaps with optional logs enabled) will likely tell you things that have failed.
Things I would suspect include:
- are all the correct hostnames on the certificate
- is the ISRG Root X1 (root) certificate trusted by all servers and clients involved
- is the private key RSA and is it a compatible key size
- is the private key accessible to the service (i.e. was the certificate stored to the machine certificate store or to a user certificate store and is it in the correct store .e.g should it be in "My" ).
See also: Certificate requirements when you use EAP-TLS - Windows Server | Microsoft Learn