# cert stored in KeyVault
$orgName = "orgname"
$tenant = "$orgName.onmicrosoft.com"
$adminUrl = "https://$orgName-admin.sharepoint.com"
$clientID = "xxxx5b29-xx3d-xx0d-9axx-exxxxxxxxxfx"
$VaultName = 'AutomationVaultName'
$certName = 'CertificateName'
$secretSecureString = Get-AzKeyVaultSecret -VaultName $vaultName -Name $certName 
$secretPlainText = ConvertFrom-SecureString -AsPlainText -SecureString $secretSecureString.SecretValue
$secretByte = [Convert]::FromBase64String($secretPlainText)
$x509Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($secretByte, "", "Exportable,PersistKeySet")

Connect-PnPOnline -Url $adminUrl -ClientId $clientID -Certificate $x509Cert -Tenant $tenant 

Based on:

https://docs.microsoft.com/en-us/powershell/module/az.keyvault/get-azkeyvaultcertificate?view=azps-5.3.0

https://stackoverflow.com/questions/43837362/keyvault-generated-certificate-with-exportable-private-key