Service Fabric Cluster nodes can't get private key from certificate

I have a 5 node service fabric cluster running a single application. I have my app settings encrypted using a self signed certificate. This certificate is uploaded to keyvault, and I have fed this URL into my application. I can see the cert is being installed on my VM, and running Invoke-ServiceFabricDecryptText also returns me the correct decrypted value. However, when looking at my management console, I see this error:

Error event: SourceId='System.Hosting', Property='Activation:1.0'.
There was an error during activation.Failed to ACL folders or certificates required by application. Error:0x80090014

Looking into the node logs, I see these entries that correspond with the error above:

2016-9-7 20:09:44.541,Informational,2148,2580,Common.CryptoUtility,GetCertificate(LocalMachine, MY, FindByThumbprint:)
2016-9-7 20:09:44.541,Informational,2148,2580,Common.CryptoUtility,GetCertificate: match found: thumbprint = [thumbprint], expiration = 2017-09-02 16:08:04.000
2016-9-7 20:09:44.541,Error,2148,2580,Common.CryptoUtility,CryptAcquireCertificatePrivateKey failed. Error:0x80090014
2016-9-7 20:09:44.541,Error,2148,2580,Common.SecurityUtility,Failed to get the Certificate's private key. [thumbprint]. Error: 0x80090014
2016-9-7 20:09:44.541,Warning,2148,2580,Hosting.ProcessActivationManager,ACLing private key filename for thumbprint [thumbprint]. ErrorCode=0x80090014

I'm at a loss.

Ended up being a bad cert. The one I initially uploaded to Keyvault was an existing certificate using New-SelfSignedCertificate in posh. I then added a second one to Key Vault by making it on the fly with the Invoke-AddCertToKeyVault command with the -CreateSelfSignedCertificate switch, and it worked.