When trying to add a new MSIX application package to an existing AVD Host Pool it fails with....
Error: ActivityId: 454-x Error: The MSIX Application metadata expand request failed on all Session Hosts that it was sent to. Session Host: pooled-0, Error: App contains untrusted signature. (Code: 400).
This error was due to the certificate which was used to sign the MSIX package was not installed correctly on the AVD Session Hosts. For the avoidance of doubt the certificate (PFX with the private key included) is required on all of the AVD Session Hosts. This would typically be issued centrally from an enterprise PKI (like AD CS in Windows Server) and distributed via Group Policy. However, in my development lab I created a self-signed certificate, therefore this PXF file had to be distributed to each of the AVD Session Hosts.
This certificate must be installed under Local Machine\Trusted People on each Session Host. I can honestly say I have never seen this part of the certificate store used for any other purpose. An automated install of the certificate will install it to the wrong place and you will get the 400 error listed above.