Quick update on this situation: it's now my understanding that this client certificate must contain my private key.
Yes for sure. A file that contains only "BEGIN CERTIFICATE..." is not enough.
but where does WinSCP pull their public key from to encrypt data sent to them? windows cert registry?
It's retrieved directly from the server. You do not have to have it upfront. Of course, only as long as their certificate is signed by a trusted authority. If that's not the case, you have to import the certificate to Windows certificate store. Otherwise WinSCP will show you a warning about an untrusted certificate and you can choose to confirm that you trust it nevertheless.