WS1 is issuing a authentication certificate to the current windows user during enrollment - if using a staging account WS1 will re-assign the device to the first domain user logged on. Therefore a local user owning the cert which later will not be used will very likely not work.
In regard to GPOs: If there are conflicting directives from MDM and AD GPOs you can choose who should win: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict
In addition: Be aware that Microsoft decided to not support any 3rd Party MDM provider beside SCCM. When the Configuration Manager client detects that a third-party MDM service is also managing the device, it automatically deactivates the following workloads in Configuration Manager:
- Resource access policies for VPN, Wi-Fi, email, and certificate settings
- Application management, including legacy packages
- Software update scanning and installation
- Endpoint protection, the Windows Defender suite of antimalware protection features
- Compliance policy for conditional access
- Device configuration
- Office Click-to-Run management
Source: https://docs.microsoft.com/en-us/mem/configmgr/comanage/coexistence
- Alex