I think I got it (at least I can use the same pfx from two nodes now without error). The key was in here:
First off, my cert did not have the full trust chain, so that was a problem. What resolved it for me was
Got a new sslCert for both Client and Server auth (Extended Key Usage)
I exported this to PEM as keyStore.pem:
openssl pkcs12 -in myCert.pfx -out keyStore.pem -nokeys -nodes
I edited the PEM file to remove out my cert and just keep the CAs.
Instead of specifying truststore, I added:
xpack.security.transport.ssl.certificate_authorities: [ "keyStore.pem" ]
When starting up and running _xpack/ssl/certificates, I see the CAs listed in both the PEM and pfx. Second node is able to join as well.