NWHotSpotConfiguration not providing a helpful error message

I have the following code that is attempting to set up Hotspot 2.0 using an EAP-TLS configuration. I am importing a pk12 file and using those certificates.
I have tried all manner of permutations for the configuration, and have narrowed down all the errors I was getting and now I am just getting a generic:

Error: invalid EAP settings.

I have tried adding the identity separately and either get an entitlements issue which I can't figure out why since I have added the required network extension sharing groups, or a duplicate item error, meaning it was already correctly added.

The certificate and configuration are correctly working through an Android app already.

   static let accessGroup: String? = {
        guard let prefix = Bundle.main.object(forInfoDictionaryKey: "AppIdentifierPrefix") as? String else {
            print("Could not load group")
            return nil
        }
        return "\(prefix)com.apple.networkextensionsharing"
    }()

 static func setupHotspot(data: CertificateData) {
                
        
        let h20 = NEHotspotHS20Settings(domainName: data.realm, roamingEnabled: false)
        h20.naiRealmNames = [data.realm]

        var result: CFArray?
        let options: [CFString: Any] = [
            kSecImportExportPassphrase: "**********",
            kSecAttrLabel: "ident:\(data.user)",
            kSecAttrAccessGroup: accessGroup!,
            kSecReturnPersistentRef: true
        ]
        
        let status = SecPKCS12Import(data.p12 as CFData, options as CFDictionary, &result)
        
        guard status == errSecSuccess,
                let importResult = result as? [[String: Any]],
                let resultDict = importResult.first else {
            print("P12 Import failed: \(status)")
            return
        }
        
        let identity = resultDict[kSecImportItemIdentity as String] as! SecIdentity
        
 
        let eap = NEHotspotEAPSettings()
   
        eap.supportedEAPTypes = [NEHotspotEAPSettings.EAPType.EAPTLS.rawValue as NSNumber]

        eap.isTLSClientCertificateRequired = true
        eap.trustedServerNames = [ data.realm ]
        eap.outerIdentity = "anonymous"

        guard eap.setIdentity( identity ) else {
            print("setIdentity failed")
            return
        }


        let configuration = NEHotspotConfiguration(hs20Settings: h20, eapSettings: eap)

        NEHotspotConfigurationManager.shared.apply(configuration) { error in
            if let error = error {
                print("Error: \(error.localizedDescription)")
            } else {
                print("Success")
            }
        }
    }