This is now resolved. My configuration was correct, but the problem was the CA certificate was originally generated and signed for the old hostname (“icinga-new” instead of “icinga” in my examples from my first message above).
I saw lots of these messages in /var/log/icinga2/icinga2.log:
(certificate validation failed: code 18: self signed certificate)
I wound up re-running the node wizard on the master server, which generated the correct certificate for the correct master hostname: icinga2 node wizard
Once I did this, t the remote agent was able to talk to the master.