RDWeb TS connection broken for some users post RemoteApp certificate change
Found this page after experiencing the same problem. For us the solution was to add port 3389 to loopback (aka Hairpin NAT) on our firewall.
Some additional detail:
Replacing the certificate was trickier than installing it the first time, but I think we did it correctly, and apps worked fine for a day or two. Users started getting errors on launch, and we wound up using the powershell script here https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80 to re-publish the FQDN of the server.
I think this script must have set the FQDN in a part of the config that had never been specified before, causing the RD Gateway to refer to itself by its FQDN to hand off requests. These requests failed as our edge firewall allowed only 80 and 443 for both incoming and loopback requests.
Adding port 3389 to the loopback rule on the firewall resolved the problem immediately.