One solution is to set up a Smallstep certificate authority to issue really short lived certificates like 12hr or one day validity, with the key stored on a HSM or yubikey.
If you just make a openssl CA and have very long expiration times on your certs there less security in this approach in my view.
I use Bitwarden on one P8P and on one P7P using a client certificate stored in the system certificate store. It works fine.
In the case of p12 client certificates Android seems to only accept legacy certs. Maybe it is something similar in your case.