--cacrt needs to point to your CA certificate not the ledger certificate. You are also not specifying the CA certificate on the server side used to verify the client certificate via --sandbox-option --cacrt=… on the server side.
i recommend reading @nycnewman’s excellent blogpost on how to set this up Secure Daml Infrastructure - Part 1 PKI and certificates.