I notice that Firefox Quantum marks the internal website authorization.acquiring.UAT.valitor.com as valid because it presented a certificate for authorization.acquiring.valitor.com, a different subdomain. What gives?
Turns out this was a certificate for both domains. The Page Info tool only showed me the other production domain part of the certificate, however, even when I was viewing UAT.