Providing an update for others who may run into this. The issue was in the certificate installed on the client. Resolution is essentially the same as in this thread that I quoted above : Mbedtls_ssl_handshake return error -0x2700 - #5 by KennethSong
Need to use certificate that has CA flag set (not be leaf cert) and CN name must match between client cert and server cert. Most of certificates available from Google public certificate repository can be used, check the pki.goog. The expiration dates can be a challenge to embedded devices. Some note from Google on that:
Google’s recommendation for devices that seek to connect to Google services securely:
Blockquote
I’m building a product that connects to Google services. What CA certificates do I need to trust?Google certificates are issued by different CAs depending on the current business needs and best practices. A certificate chain cannot be considered static.
Developers of applications connecting to Google services must take this into consideration and never hardcode Intermediate or Root Certificate Authorities. Developers should instead build a robust mechanism to update the set of CAs trusted by their applications.
Google services’ certificates can be issued by any of the Certificate Authority from this regularly updated list. Applications connecting to Google services should trust all the Certificate Authorities from that list.
Blockquote