You should send the private .pfx when calling the api. This .pfx should match the certificate that you to us. If you do not do so, then you will see a client authorisation error.
When your certificate was uploaded, then MobilePay opened up for you, but you should still use .pfx every time you call the API.
You should not share the .pfx with anybody. Treat your private keys as an important asset, restricting access to the smallest possible group of employees.