Debug endpoint connectivity to edge routers

My endpoint is running with latest ziti-edge-tunnel (0.20.6) with third party CA provided identity x509 certificate. Endpoint enrollment didnt show any issues and I can see identity getting registered. But ZAC shows that this endpoint is not able to connect to any edge routers.
My third party CA registered identities get a default identity role attribute and all of the routers have a default attribute and there is a edge router policy allowing those 2. So I am at a loss as to whats going on here.
How can I debug this further?

TIA

ziti edge policy-advisor should tell you if your policies are configured correctly

whoa! this is going to be extremely helpful. Thanks a TON @smilindave26