Signtool on shared windows runner fails signing when using certificate as a file

So I’m using a shared windows runner, certificate as file in security files and password in a protected variable. Nevermind the later two.
The thing is that when I use .p12 certificate format, signtool (using /f and /p arguments) fails with filtering for private key (0 matches) and when I use .pfx format it throws this error: Error information: "Error: Store::ImportCertObject() failed." (-2146893808/0x80090010)
Both approaches work on my local machines. I assume the runner issues have to do with user privileges under which runner is running. But I’m still puzzled since signtool shouldn’t require any privilege when using certificate in a file - at least that’d be my assumption.
The bottom line - did anybody succeed using signtool within a shared windows runner?