I would add both to your list of allowed certs.
keytool shows the fingerprint associated with the apk that was built by expo. When google signs the apk, it changes the fingerprint. I allow both, so that I have API access for my dev apk as well as the one downloaded from the play store