Hey @lukeuit. You seem to be doing everything right from a Posh-ACME perspective. I'm not terribly familiar with Azure App Gateway though. Is the PFX file uploaded to it directly or via Azure Key Vault or something? Do you have any control over the chain config on the Azure side?
This may end up being a quirk specifically with ssllabs and Azure App Gateway. The next time you test, I would suggesting using openssl to see exactly what chain App Gateway is sending to clients like this:
> openssl s_client -connect aspen.lukeuhren.com:443
Among the wall of text output towards the top should be a section that looks like this (assuming the default long chain):
---
Certificate chain
0 s:CN = aspen.lukeuhren.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
This indicates that the server is sending the leaf certificate (0) issued by R3, the R3 intermediate (1) issued by ISRG root, and the ISRG root (2) issued by the DST Root.
Depending on how App Gateway does its chain building, it's possible it might leave out the ISRG Root (2). But it should at least have 0 and 1.