I figured it out. I ran a bunch of tests.

The fingerprint is only needed for self-signed certs, whose CAs are not in the operating system’s trust store.

Kopia is a great piece of software and I am impressed how nicely it works. But the documentation is probably one of the worst I have ever seen. It’s outdated, inconsistent, the command line reference only shows a verbatim copy of the --help page, but no explanations whatsoever. (e.g. what values can I use for an argument)
The only way to figure out how Kopia really works is to spend hours and hours for trial and error.