Hi @jfin, welcome to the community and to OpenZiti
Not gonna lie - this line does scare me as someone trying to support the community. Getting the PKI right is a difficult thing to do and not for the faint of heart. I expect you've misconfigured it somehow. Also this statement at the end of your post is incorrect. *Quickstart works because it uses internal enrollment that bypasses external JWT verification.*. That is not true, don't be misled...
I'd suggest you read through this older thread OpenZiti network from scratch - #10 by nenkoru and possibly watch the Ziti TV if you need to. Community member @nenkoru put up GitHub - nenkoru/openziti_manual_pki: Bootstrap PKI for OpenZiti manually which is referenced in that thread.
I think that's really waht you need. If you follow that and still have questions, I think we can go from there?