I use self signed certs for thinclient authentication. Generate self signed cert, load into AWS workspaces, sign device certs with root, and only machines that have the cert installed and pass the username password prompt will get through the AWS service broker. I can't see how using a CA signed cert helps me in any meaningful way. If I lose trust in the cert, I revoke it myself from the service.