SSH with short lived cert still asking for password

I’m trying to set up SSH over Argo Tunnel with short lived certs, but it’s still asking for the user’s password when connecting.

I think this might be because the result of cloudflared access ssh-config --hostname --short-lived-cert is wrong, it tells me to add:

  ProxyCommand bash -c '/usr/local/bin/cloudflared access ssh-gen --hostname %h; ssh -tt %[email protected] >&2 <&1'

  ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
  IdentityFile ~/.cloudflared/
  CertificateFile ~/.cloudflared/

but looking in the ~/.cloudflared/ dir during connection, the IdentityFile does exist but the CertificateFile doesn’t.

The host system is macOS 10.15.2 and the cloudflared program is up-to-date.
Remote system is a RPi running raspian 10 buster