Certificates are cached and used independently of the protocol version of the session on which they were observed. For example, a certificate seen on a TLS 1.2 session may be used to evaluate policy on a TLS 1.3 session.
As the TLS 1.3 protocol encrypts certificates rendering them unavailable in cut through flows, it is not possible to validate that the certificate used in the flow matches the certificate returned by the Learned Certificate Cache. T
Certificate information is needed to do a domain-name based cut through, which the SSLV cannot see until it mediates the TLS 1.3 session, it can only see the CH information. Once a session is mediated it cannot be cut, only dropped or rejected. That is why this falls under unsupported sessions. By the time we have collected all info for a domain cut, we can't cut because we are in the session. True TLS 1.3 flows would be cut unsupported because we cannot identify the certificate.
By adding a trigger rule on a domain or known certificate and key in the client hello, you can manipulate the policy to utilize an "observe" on an flow, instead of mediated. This will allow for the flow to then utilize the Inspection services rule for a known certificate and key, which will decrypt the TLS 1.3 flow without having the certificate in the known certificate cache.
This would require you to have an additional rule, with the domain in it, which will flag it to observe. After it is flagged as observe it will then hit the known certificate and key rule, which will then force it to utilize the Inspection services.