Just for added info i had exact info and solution above worked for me, except i wasnt comfortable just deleting the objects in ADSI edit call me paranoid especially as i found that they were not easy to distinguish so deleting something i couldnt identify wasnt a risk i wanted to take
Below which sorted the issue, cobbled together from other bits of information from old Lync 2013 articles about possible AD sync issues
1) Removed the current Oauth Certificate that was about to expire via the GUI
2) Forced AD sync from DC via cmd: repadmin /syncall /AdeP
At the Front-End server Skype shell:
Enable-CsAdForest
Enable-CsAdDomain
3) Went to SFB GUI to assign my new Oauth certificate - requested a new one which assigned this time correctly with no error
4) New Certificate should then replicate from CMS to all other Front Ends on next replication run
To speed this up i ran an invoke-csmanagementstorereplication and then all certificate were allocated on the front end
5) You can also restart the Skype for Business replica service on Front Ends if needed
I believe the root of the problem is uncommitted AD objects in SFB hence the Enable ADForest and ADDomain commands
I was relived to sort this as there is not much info out there with this error and with SFB no longer in use as much, the various Blog articles on web are starting to become very thin on the ground