I Notice that there is method "Pass the Certificate" to move to other computer in AzureAD joined local AD.
this tech need context and derivedkey from mimikatz. But mimikatz need a administrator permission to get these information.

Do you have a reference of where that is required? ROADtools can create a context + derived key combination from a PRT, but it cannot do that from data on an endpoint directly.