Using Vault signed keys through a jump host

We’ve got Vault SSH CA set up, and can successfully log into a box using a signed key, however, we’d like to use that host as a jump-point to other boxes, which we currently do with an ssh command structured like this:
ssh -p 22 -o StrictHostKeyChecking=no -o "ProxyCommand ssh -p 2222 -W %h:%p ubuntu@<jump-host>" ubuntu@<destination host>

If we try that using the local ssh key signed by Vault, we just get ‘Permission Denied’, even though the host at the final destination should accept the CA-signed keys just like the jump host. It seems to not be passing the signed credentials through. Has anyone had any experience getting this to work, or know if it’s even possible? Thanks!

Wondering if you’ve resolved this? Did you try turning on ssh -v to see the diagnostics?