Since x509: certificate is valid for svc.example.test.cloud, so
transport.TLSClientConfig.ServerName = "svc.example.test.cloud"
VerifyPeerCertificate, if not nil, is called after normal
certificate verification by either a TLS client or server. It
receives the raw ASN.1 certificates provided by the peer and also
any verified chains that normal processing found. If it returns a
non-nil error, the handshake is aborted and that error results.
If normal verification fails then the handshake will abort before
considering this callback. If normal verification is disabled by
setting InsecureSkipVerify, or (for a server) when ClientAuth is
RequestClientCert or RequireAnyClientCert, then this callback will
be considered but the verifiedChains argument will always be nil.
VerifyPeerCertificate func(rawCerts byte, verifiedChains *x509.Certificate) error
So if normal verification fails, then
VerifyPeerCertificate won't get called. Also if normal verification is passed, i don't think you need this extra check