SSH with short lived cert still asking for password

I’m trying to set up SSH over Argo Tunnel with short lived certs, but it’s still asking for the user’s password when connecting.

I think this might be because the result of cloudflared access ssh-config --hostname pi-ssh.heppell.network --short-lived-cert is wrong, it tells me to add:

Host pi-ssh.heppell.network
  ProxyCommand bash -c '/usr/local/bin/cloudflared access ssh-gen --hostname %h; ssh -tt %[email protected] >&2 <&1'

Host cfpipe-pi-ssh.heppell.network
  HostName pi-ssh.heppell.network
  ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
  IdentityFile ~/.cloudflared/pi-ssh.heppell.network-cf_key
  CertificateFile ~/.cloudflared/pi-ssh.heppell.network-cf_key-cert.pub

but looking in the ~/.cloudflared/ dir during connection, the IdentityFile does exist but the CertificateFile doesn’t.

The host system is macOS 10.15.2 and the cloudflared program is up-to-date.
Remote system is a RPi running raspian 10 buster