x509 Errors when running docker build on corporate LAN

This question applies specifically to Docker Desktop for Mac.

Our corporate network inserts an intermediate certificate in all SSL requests. When I run docker build while connected to the network, this results in errors like:

failed to solve with frontend dockerfile.v0: failed to create LLB definition: failed to authorize: rpc error: code = Unknown desc = failed to fetch anonymous token: Get "https://auth.docker.io/token?scope=repository%3Aamazon%2Faws-cli%3Apull&service=registry.docker.io": x509: certificate signed by unknown authority

I've tried adding a bundle that includes our intermediate certs to ~/.docker/certs.d/auth.docker.io:443/ca.crt but this didn't resolve the problem. I've tried several variations of the auth.docker.io:443 directory naming.

Were I on a Linux machine, I would append the certs to /etc/pki/tls/certs/ca-bundle.crt per the dockerd documentation but that's not something that exists on Mac. As I understand it, Docker for Mac should be importing any certs that are in my keychain, but the behavior I am seeing indicates otherwise. I'm kind of at a loss what else to try besides disabling SSL verification entirely, but that is certainly not a preferred solution.

The process for Mac is to update the macOS keychain:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crt

Once you've done that, there's an important note in the documentation:

Note: You need to restart Docker Desktop after making any changes to the keychain or to the ~/.docker/certs.d directory in order for the changes to take effect.