So, I understood this error to be related to agent authentication. The first thing I checked was that the installed agent had the correct core certificates installed. It did. What I neglected to check was the Scheduler service on the core. For some unexplained reason, this service switched to using the LocalSystem user instead of our standard AD-based "service" account. Nobody here changed it. It reverted spontaneously. I'm guessing that's related to the MS patches, but I don't really know. In any case, once I switched back to our AD account, it worked and continues to work after 3 days.
Thanks to everyone for their responses!