I did run tests locally, but it seems like the test did not run locally due to stunnel not being installed on my system.
(Side note: that test also never failed on CI test builds, are tests only ran with a single backend or why was it never caught during the PR?)
I had a look into the failing test, the problem is that mbedtls_x509_crt_parse of mbedTLS requires the terminating null-byte to be part of the data, while the passed length does not include the null-byte.
CURLOPT_SSLCERT_BLOB support was already added before my PR, so I had a look how this discrepancy was dealt with there, but it seems like it was not handled either. No tests seem to exist for this API, so I assume the same issue happens there, but was just never detected.
There are some issues about this null-termination requirement for mbedTLS: