With any workstation migration, the device is at the whim of many controlling factors, to name a few: GPO, Intune, DNS, network, VPN, installed software, conditional access, tenant configuration, permissions, enterprise apps, and more.

We have other articles related to Intune enrolment which may also help guide you to a resolution:

Intune Enrollment has not succeeded - PowerSyncPro

Microsoft has articles detailing some short guidance on Entra ID error codes, of course Microsoft articles and Microsoft support are the single source of truth when diagnosing the reasons for something happening.

For example, this article is quite comprehensive.

https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes
 

However, we have also observed that in some circumstance we found additional or contributory reasons for something happening, or the fix for it. This list is not the panacea to fix your challenge, it is more a aide memoire to help, and you never know we might hit the jackpot.

AADSTS50001: The resource principal named urn:p2p_cert was not found in the tenant named <tenant name>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

When you're moving a device to Entra Joined Microsoft creates the application registration “P2P Server”, we suspect this app either doesn't exist or there is a RACE condition with it being created for the first time, so perhaps try the migration again. This might be a transient error, and is typically only related to the orchestration of RDP on Entra Joined devices, so try RDP again if that's what you're doing. If you're using PowerSyncPro Migration Agent to migrate the device between join states, you can delete the "c:\Program Data\Declaration Software Ltd" folder, then restart the “PowerSyncPro Migration Agent” service on the workstation, and the migration will start & try again. We had one customer who deleted the app as part of sanitisation because it wasn't known or documented internally due to the automatic creation. The “P2P Server” service principal facilitates certificate-based Remote Desktop Protocol (RDP) authentication, known as PKU2U, for Azure AD or Entra-joined devices.

8009000b: Key not valid for use in specific state.

80090016: Keyset does not exist.

We saw these in one customer when users were logging onto Microsoft Workloads. Whilst we do not know the exact cause.  For our customer, running the WPJCleanUp executable fixed the issue. There are also other solutions on this article. We spotted that WPJCleanUp must be run under the user context.

Reset activation state for Microsoft 365 Apps for enterprise - Microsoft 365 Apps | Microsoft Learn

CAA50024: Error response came from MDM terms of use page.

Whilst it is possible to have an error on the terms of use page, we discovered this particular user simply didn't have an Intune license, so ensure they are appropriately licensed for the actions you're trying to perform. Ultimately your tenant needs to be licensed for P1 to be able to utilise Intune features.