As is tradition: the same minute I post an issue, I find the solution.
If the Account you run PSU under, is not an Administrator, you need to delegate the rights to read the certificate private key
My end goal is to automate requesting certificates, any further tips is appriciated 
I wonder if this step is neccesary if the cert is requested by the gMSA instead.