Details of the scenario you tried and the problem that is occurring:
When using the certificate export wizard, you are given the option to use TripleDES-SHA1 encryption or AES256-SHA256 encryption to protect the certificate using a password and/or AD DS groups and users. Set-TargetResource for PfxImport of an AES256-encrypted file fails with "The PFX file you are trying to import requires either a different password or membership in an Active Directory principal to which it is protected."

I had to solve a bunch of issues related to user groups and share access before getting to this point, so I'm confident I've localized the problem. Initially, my PFX file was password protected, then I switched to AD DS principal security, and then finally I switched to using TripleDES-SHA1 encryption (with AD DS security) and I stopped receiving the above error.

The DSC configuration that is using the resource (as detailed as possible):

        PfxImport $cert.Thumbprint
        {
            Ensure = "Present"
            DependsOn = "[WindowsFeature]Web-Server"
            Thumbprint = $cert.Thumbprint
            Path = $cert.Path
            Location = "LocalMachine"
            Store = "WebHosting"
        }

Version of the Operating System and PowerShell the DSC Target Node is running:
Target node is Server 2016, certificate path is on a DFS share on another Server 2016 machine, and I am using a DSC Push configuration from a Windows 10 Pro machine (which was also doing the cert exporting and encryption).

Version of the DSC module you're using, or 'dev' if you're using current dev branch:
CertificateDsc 4.1.0.0