Bulk Install New Certificates on Windows Server 2016+ Endpoints

I have begrudgingly been updating our purchased wildcard certs manually for years and I've had enough now that I've got over 100 web and client servers. The servers are mostly independent and spread across a few different domains, but there are a couple farms running which might make this easier for at least those few.

All OS's are Windows Server 2016 and 2019.

My current process at the end of every certificate validity period is to purchase a new (renew) cert and complete the CSR from my in-house management box, then export the cert in .pfx format, and install it manually on each server in the Personal store. On web servers (IIS) I modify the bindings manually as well.

I know if I were using certs generated in the domain I could simply push them out using AD CA in each domain, but based on my research I cannot find a way to roll-out the cert we purchased from the vendor.

I also see that a GPO might at least be the answer here for getting the cert on the servers – it won't be hard for me to setup item-level targeting, or put all the web-servers in a group or OU in each domain. The only issue I am having with this is I cannot find a way to use this method to place the cert in the Personal store, which is a requirement.

There is likely to be more than 1 "right" answer here, but I'd like to know how you guys tackle this process every year so feel free to chime in. Apologies if this has been answered in this community before, but my search did not bear fruit.