Before, the state directory was set to a path in the Nix store, which isn't writable and so makes for a terrible directory for storing state. See https://github.com/NixOS/nixpkgs/issues/141224 for a more detailed explanation.
Also, swtpm-localca tried to use certtool from the environment. Change the path so it refers directly to certtool in the Nix store.