Windows RRAS cannot find IKEv2 certificate after restart

Windows RRAS cannot find IKEv2 certificate after restart

We have server running Windows Server 2012 for VPN connections with RRAS.
After some initial difficulties with the PKI to get a certificate
acceptable for IKEv2, we finally got it working.
It worked for about a week, and now, after we restarted the services for
an unrelated issue, it seems the server can no longer find the correct
certificate even though it is in the Certificate Manager.
All clients (built-in Windows VPN client) give error
13806: IKE failed to find valid machine certificate. Contact your Network
Security Administrator about installing a valid certificate in the
appropriate Certificate Store.
The client logs are enormous and hard to make any sense of, but they don't
seem to say anything that the error message doesn't.
The certificate that worked before is in the Machine Store on the RRAS
server. I checked it again against this detailed survey of what works and
what doesn't work and it appears fine. The certificate's CN is set to its
internal FQDN, but the Subject Alternative Name: DNS Name is set to the
DNS name the VPN clients are using.
Other things I've considered:
The certificate doesn't expire until 2015.
Both the client and server trust the AD CA's root certificate
Using PPTP to the same server works fine
Server event logs seem to show nothing
Attempting to connect from a computer inside the network also fails with
the same error
Is there any way I can force the server to pick the right certificate or
at least see why now it refuses the certificate that it accepted earlier?