Ok found the solution.
The modem as a cacert bundle which can be editined through the web interface (or via commandline).
By adding all of the digicert certificates to this bundle and the specifying the bridge_cafile points to the bundle the mosquitto bridge can connect successfully using TLS.
It would seem there are not enough of the full chain of certificates present, by default. After installing them pointing capath in mosquitto.conf was insufficient. Documentation for mosquitto.conf would suggest that would work.
So point bridge_cafile to the bundle solves the issue
bridge_cafile /etc/cacert.pem
Hope this helps anyone else venturing here 
T