AASA error "Disallowed trust result type" in sysdiagnose

In our test environments (only accessible over VPN), universal links have recently started to fail (for iOS 13, which doesn't use Apple's AASA CDN).

I've captured a sysdiagnose to look at the swcd logs. I see entires for our private test domains that look like this (edited to redact domain details just in case):

Code Block 
------------------------------------------------------
Service:              applinks
App ID:               <<redacted>>
App Version:          2101251821
Domain:               <<redacted>>
User Approval:        unspecified
Site/Fmwk Approval:   unspecified
Flags:                
Last Checked:         2021-01-26 12:12:01 +0000
Next Check:           2021-01-26 15:17:37 +0000
Error:                Error Domain=SWCErrorDomain Code=100 "Disallowed trust result type." UserInfo={Line=174, Function=-[SWCSecurityGuard verifyTrust:error:], NSDebugDescription=Disallowed trust result type., TrustResultType=6}
Retries:              1
------------------------------------------------------

I've done a little bit of digging for TrustResultType and I'm guessing that it might be a SecTrustResultType which is an enum. If this is the case then the error code is kSecTrustResultFatalTrustFailure.

Digging a bit more, the only mentions that I can find such as this Apple doc suggest that there is probably some kind of certificate issue.

---

Am I right that this is probably a certificate issue?

Is there any way to discover more about what swcd is troubled by (perhaps the function and line number in the error could be helpful)?

I'd like to be able to find out more specifically what the issue is so I can point out infrastructure team in the direction of the cause.

NB: if I try to directly open the AASA file at <redacted-domain>/.well-known/apple-app-site-association using a test iPhone on the VPN, I can open the file and it looks correct to me. However, perhaps Safari has less stringent certificate requirements than swcd?

Thanks.