Connection to AWS IoT with M2MQTT from .net core

I managed to manually create the AWS IoT config, downloaded the certs and create a console app that could subscribe to a topic. Im now trying to automate the thing creation, which results in the certificate keys being provided by AWS as strings. Im not sure how to use these. I have the root ca downloaded already, which I assume I use for all things.

My file based cert subscriber looks like this:

            Console.WriteLine("AWS IOT Dotnet core message listener starting");
            string iotendpoint = "blahblah-ats.iot.ap-southeast-2.amazonaws.com";
            int BrokerPort = 8883;
            string Topic = "topic_1/";

            var CaCert = X509Certificate.CreateFromCertFile(@"root-CA.crt");
            var ClientCert = new X509Certificate2(@"device.pfx", "password");

            var IotClient = new MqttClient(iotendpoint, BrokerPort, true, CaCert, ClientCert, MqttSslProtocols.TLSv1_2);

            try
            {
                IotClient.Connect(Guid.NewGuid().ToString());
                Console.WriteLine("Connected to AWS IOT");

                IotClient.MqttMsgPublishReceived += Client_MqttMsgPublishReceived;
                IotClient.MqttMsgSubscribed += Client_MqttMsgSubscribed;

                IotClient.Subscribe(new string[] { Topic }, new byte[] { MqttMsgBase.QOS_LEVEL_AT_LEAST_ONCE });

                Console.ReadLine();

            }
            catch (Exception ex)
            {
                Console.WriteLine(ex.Message);
                return;
            }

To load the cert from file, I tried this:

    var keyText = File.ReadAllText("keys.json");
    var keys = JsonConvert.DeserializeObject<Keys>(keyText);
    var bytes = Encoding.ASCII.GetBytes(keys.PrivateKey.ToCharArray());
    var ClientCert = new X509Certificate2(bytes);

with:

    class Keys {
        public string PublicKey {get;set;}
        public string PrivateKey {get;set;}
    }

and the keys from AWS in a json file :

{
    "PrivateKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEA4mh2PQ581XN9BmoCvDjlaktm/6gQgqGBItZThcQVMTjveU8H\npjOU2E/9lq7vmdO+96NuuMr9MKtFD+ZWtVExLjMq9hH0MvIvosVt9+6Ggcwz7Kdr\nigprfBMVORV0rgcK+nsd2DmBNrs339fqbTn5UAIFFBpqkNReW7LMl9h6g8hu4aYQ\nJTohDwSmgmNJKlzMJGtVfPggqt+bBi3lUf9NEOEz...
-----END RSA PRIVATE KEY-----\n",
    "PublicKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4mh2PQ581XN9BmoCvDjl\naktm/6gQgqGBItZThcQVMTjveU8HpjOU2E/9lq7vmdO+96NuuMr9MKtFD+ZWtVEx\nLjMq9hH0MvIvosVt9+6Ggcwz7K...
-----END PUBLIC KEY-----\n"
}

Im getting an error loading the cert:

An unhandled exception of type 'Internal.Cryptography.CryptoThrowHelper.WindowsCryptographicException' occurred in System.Security.Cryptography.X509Certificates.dll: 'Cannot find the requested object.'

Can anyone see anything obviously wrong here? I dont understand certificates...

Update:

Using the PEM text produced by the AWS SDK is more correct, but I still get an error connecting - M2MQTT says there is a cert problem, it has no private key. Does it need it?

    var pemText = File.ReadAllText("thing.crt");
    var bytes = Encoding.ASCII.GetBytes(pemText);
    var ClientCert = new X509Certificate2(bytes);