Correct. There are workarounds but Windows builds it's own certificate chain for your certificate which it then uses (when acting as a server or a client), regardless of the chain you may have constructed in the installed PFX (stored in the machine certificate store).
Options/workarounds include:
- Proxying your service via nginx, caddy, apache etc (these construct the chain from pem files)
- Proxying your service via Cloudflare
- Moving ISRG Root X1 to Untrusted (not recommended, can affect outgoing https calls from your server to other services, like Let's Encrypt).
- Using an alternative CA
Note that there will be another round of root/intermediate expiries in 2024/25 etc and at that point those Android devices will be entirely out of luck as well.