In order to validate custom certificates in a secret with a CertificatePolicy a user is required to apply a specific label to the secret to indicate to the policy controller which key holds the certificate.

This was documented up to ACM 2.3, but has been removed since.  https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html-single/governance/index#bringing-your-own-certificates

The specific label is still the correct way to have a CertificatePolicy evaluate a secret with a  custom certificate.  
https://github.com/stolostron/cert-policy-controller/blob/main/controllers/certificatepolicy_controller.go#L367-L372