You say that your Legacy App Signing Certificate is no longer in use. In fact if you upgraded your app's signing key in Google Play as explained here, your Legacy App Signing Certificate is still used on Android 12L and below. This is because Google Play applies the v3.1 signature scheme when rotating the signing key, which is explained here:

• Devices that run Android 13 or higher (minSdkVersion=33) use the rotated signer in the v3.1 block.
• Devices that run older versions of Android (minSdkVersion=24, maxSdkVersion=32) ignore the rotated signer and instead use the original signer in the v3 block.

Hence when you implement Google Sign-in, you should still declare in your OAuth Client ID the SHA-1 fingerprint of your Legacy Certificate. Authentication to Google APIs will still work on Android 13 and above thanks to the proof of rotation included in the v3.1 signature -> it allows the new signing key to be recognized as valid for the OAuth Client ID associated to the Legacy Certificate.