You probably figured this out by now, but as far as I understand you are fine with an "HTTP/2 provider certificate".
The Mar 31, 2021 deadline only affects the "legacy binary protocol", in other words certificates that have been created "a long time ago". From what I can see, through the Developer Portal you are only able to create APNs certificates based on HTTP/2, but I'm not an expert on the field. Like I didn't see a checkbox that let's you select "HTTP/2" or something.
Apple Push Notification service SSL (Sandbox & Production)
Establish connectivity between your notification server, the Apple Push Notification service sandbox, and production environments to deliver remote notifications to your app. When utilizing HTTP/2, the same certificate can be used to deliver app notifications, update ClockKit complication data, and alert background VoIP apps of incoming activity. A separate certificate is required for each app you distribute.
In my opinion Apple is doing a not so great job with how they communicate those things. Yes, there is this article - https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/sending_notification_requests_to_apns which describes both Tokens and Certs, but they do a poor job comparing "legacy certificates" with "HTTP/2 certificates".
Because a lot of blogs out there used to compare things like this:
Auth Tokens (HTTP/2) vs. the legacy way (certificates)
But as we have seen now, the certificate situation is the one that needs to be distinguished more granularly.
