Which cert hash did you enter into the MEBx? The hash for the actual provisioning cert, or the hash for your root CA that issued the cert? In order for everything to work, you have to enter the has of the root CA.
the CA Hash has been entered
we have the machines in AD
and they show provisioned in SCCM, but cannot connect to the management console
Have you tried power control operations?
Right click on a provisioned system, select "Out of Band Management" then "Power Control".
While the OOB Management Console uses Kerberos authentication, these power control commands use the digest user. If the power control commands work, that tells us that there's a problem with Kerberos authentication. If the power controls commands do not work, that's usually a sign that there's something wrong with the TLS cert assigned to AMT.
If the power control command does work, I recommend checking the AMT OU you are using in Active Directory to make sure that there are objects there for your provisioned systems.