@coyote @pwm update: I did finally get Pleroma (but not funkwhale) to approve of my TLS 1.3 certificate:
For some reason that probably isn't secure I had to disable all of the excluded ciphers in postfix. I have no idea why and I know this isn't secure but it works