We have the similar issue too. So appending our own CA cert to the bottom of the cacert.pem fixed our issue.
Please note at our version (4.1.3) the cacert.pem is located at $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/lib/certifi/ folder. if you cannot find it at these folders, perhaps use any "find" command would do the trick.
I think Splunk should document this workaround at the doc, as it is very common that companies would use their own company signed certificate for the Azure management endpoint.