LXD doesn’t watch /etc/ssl/... for new files being added. The OIDC client has a persistent HTTP client that it uses to refetch JWKs on key rotation at the IdP. It’s likely that your new certs weren’t being picked up. We can do better on our side to surface issues like this (perhaps rejecting the configuration if discovery fails).
Thanks for the heads up, will add more info to the docs and create an issue to make these errors more transparent.