Hi Paula
As I read it the user with the new role in the certificate would be the one appearing on the certificate as they are the closest role assignment context to the certificate activity
The other roles with the moodle/course:update would be at course level so would continue to be able to update the certificate as they still have the permission it is just at a higher context .
Regards