Why Have Certificates with non-Exportable Keys in Azure Key Vault?

I feel like I must be missing something obvious or I'm being very dense. If I generate a self-signed certificate with Key Vault, or import a PFX with a private key, but do not mark the private key as exportable, as far as I can tell there is literally nothing I can do with that certificate from an API standpoint. Perhaps I can use it with a Gateway to terminate SSL or something, but I can't find any way to decrypt or sign data with them, or do anything useful with them the way I can with Keys. At least Keys marked as non-exportable still have decrypt and sign APIs. Certificates in Key Vault without an exportable key seem like bricks. Is there anything useful that can be done with these certificates?

The only useful thing you can do with the public key is to verify tokens or data that you have received. The alternative it to send data to AKV and have it signed/encrypt in for you. You can also use the public key to sign data, but then the receiver must have the public key to verify the signature.

It sure is annoying that you can't get both from when you download it as a certificate.

If you download the secret that is generated with the same name and version as the certificate, you can get the private key as well. It should be in the PFX you can download. It will have an empty password though (so not the original you have used during import).