Errors trying to follow recipe for istio install on a VM

Trying to just follow the steps from Istio / Virtual Machine Installation

As soon as I start istio with systemctl on VM I see authorization error in the istio log. After this, I get infinite loop of istio trying to authenticate and then failing requests to the XDS server that need to be authenticated:

% warn cannot parse the cert chain, using token instead: failed to read the cert, error is open etc/certs/cert-chain.pem: no such file or directory
% info xdsproxy connected to upstream XDS server: istiod.istio-system.svc:15012
% warn xdsproxy upstream [1] terminated with unexpected error rpc error: code = Unauthenticated desc = authentication failure
% warn sds failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unauthenticated desc = request authenticate failure

It says it is giving up on parsing cert chain and is using token instead. I have the token that I created on my k8s cluster in the right place with the right permissions.

I assume that what is supposed to happen is that the token file gets read and sent to pilot, which creates a private key and sends it back to the VM istio. Then future startup of istio uses the key file???
Can anyone confirm or correct my guess above about how this is supposed to work?

I would love to see an istio log from a successful startup of a VM based istio system that had no cert chanin, a istio-token in the token directory and a root-cert.pem in the cert directory. Can anyone post a log from the official istio VM recipe working correctly for bootstrapping initial authorization and mTLS setup?

My setup
Ubuntu 18.04
istio 1.16.1
kubernetes v1.25.3 (minikube)

Any help or ideas appreciated.
-drl