The FIPS provider has a number of pairwise consistency checks in place. When these fail it is not consistent about how it handles them. Specifically, some failures cause the module to enter a failure state whereas other return an error (& possibly adding something to the error stack).

What behaviour do we want after a failed PCT?
Whatever we choose needs to be implemented across the board consistently.

Bear in mind that a PCT is mandated on key import, so that an attacker who manages to give the module an invalid key will cause such an error which could cause the module to enter the error state and cease functioning completely.

It's likely one of NIST's standards will provide options.