I've got the same docker image, and have the same issue on my server (debian), two raspberries (hyperiot and raspbian), and on my windows pc (using wsl, ofc). All give the exact same behaviour. Mosquitto is also version 1.6.12. The config is a copy-paste of yours, where I replace the remote username with my token.
Could it be that these settings are different for different users? As in; TLS works differently for non-paying users?
EDIT: it may be a different issue, but exporting certificates from Chrome only allows me to export .cer and .c7b files. I got the certificates using another browser, but this may cause other issues. Are these certificates available as files somewhere?