The new confidential identities work generates keys that belong to parties but do not have a corresponding certificate. The persistent identity service uses two database tables to represent this: one which maps keys to parties (which is new), and one which maps keys to PartyAndCertificates (which was present before the confidential identities work).
The IdentityService interface has a partyFromKey method that should return the party to which a key belongs. However, this checks the key to party and certificate mapping, and as a result cannot find parties for keys that do not have a certificate.
After discussing with , the proposed fix is to change this method to check the new table. (An alternative approach would be to deprecate this API and suggest using wellKnownPartyFromAnonymous instead, but it was decided that partyFromKey was a more obvious name for what the API does.)