As described in the Part 1, the certificates may belong to the classic “Crypto providers” and the new-style “Key Store Providers” (also known as CNG, Cert Next Generation). These CNG certificates don’t work well with the traditional .NET classes, for example if you try to get the field PrivateKey, it will be returned as empty.
But it turns out that there is a new API for them, collected in the helper class System.Security.Cryptography.X509Certificates.RSACertificateExtensions. The new way to get the private key is (in a PowerShell example):
$key = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert)
It works for both the old and new certs, on both the full .NET and Core .NET (such as you would find on the NanoServer).