You should run the following command:

Get-AdServiceAccount -Identity gmsa_account -Properties PrincipalsAllowedToRetrieveManagedPassword

and verify the specific computer account is in the PrincipalsAllowedToRetrieveManagedPassword list, or is a member of a group in the list.

The error message you get when running Test-AdServiceAccount suggests it's not in the list, so you should add it using the Set-AdServiceAccount cmdlet.