I realise it's old, but I came over this article while looking for a solution to the same problem and couldn't find one elsewhere.
I was able to fix it with Powershell, however it's strange what's necessary given that the PFX has already been submitted to the key vault. If you don't want to save your pfx passwords in keyvault, replace the variable in the $pwd line with your own value.
Create a Powershell task in the Azure DevOps Pipeline. The script is as follows:
#Convert the Secure password that's presented as plain text back into a secure string
$pwd = ConvertTo-SecureString -String $(GlobalCertificate-Password) -Force -AsPlainText
#Create PFX file from Certificate Variable
New-Item Temp-Certificate.pfx -Value $(GlobalCertificate)
#Import the PFX certificate from the newly created file and password. Read the thumbprint into variable
$Thumbprint = (Import-PfxCertificate -CertStoreLocation Cert:\CurrentUser\My -FilePath Temp-Certificate.pfx -Password $pwd).Thumbprint
#Rest of Script below or set environment variable for rest of Pipeline
Write-Host "##vso[task.setvariable variable=Thumbprint]$Thumbprint"