Hi Graham,
As you saw, there's no good mechanism for this via certutil. Honestly, the logic for the legacy verifier that would accomplish this is somewhat lacking, as well.
There's a meta-bug for someday reworking the tools to use mozilla::pkix, which would accomplish what you're looking for, Bug 1648172. The significant lift here though would be reworking the relevant tool to compile in C++, needed for mozilla::pkix.
If you're interested in contributing that rework, we'd love to work with you on it. But nevertheless, mozilla::pkix. in the lib/mozpkix dir, is the right way to approach this problem.
Cheers,
J.C.