We identified in our case that we were exporting the WRONG certificate, because Keychain Access has a UX deficiency in that when you use the search box, you don't see certificates with a name matching what you searched for, you see certificates tied to PRIVATE KEYS with a name that matches what you searched for.
Because of this confusing UX of Keychain access, we were continually exporting the wrong certificate (but had convinced ourselves it was right because the name matched). Once we identified it as the right certificate, our import problem & signing identity missing private keys messages went away