agent-forwarding does not work with certificates

[sevenrats]

it will take me a few hours to get to the bottom of it, but it looks like when you use this agent with an ssh pki, agent forwarding appears to cause the pubkey itself, not the certificate to get forwarded. here is a scenario. I have User machine A, and hosts B and C user A has tpm user keys while B and C trust the CA which has signed A's tpm pubkey

from my user on machine A I will ssh -Av B.local i can confirm from the output that my certificate is approved and I login without a password. within this session I now ssh -v C.local this authorization fails. If I move the pubkey to machine C as an authorized_key, then the forwarded agent works. so it seems to me that ssh-tpm-agent needs to be modified to correctly forward the certificate, as this scheme works as intended when not using the tpm agent.