"UNABLE_TO_VERIFY_LEAF_SIGNATURE" Error 403 Forbidden

Hello i added a external microsoft identity provider into my Zitadel. Now i got a problem because in my Local Test Zitadel everything works fine with the External identity but on production i get a certificate error. What could the problem be? it normally gets the token and keys but when i do the api call it failes. on my local test zitadel it works.