In the ADFS, you have a primary and secondary certificate. In the link https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/design/certificate-requirements-for-federation-servers, they mentioned that you can have multiple token-signing certificate configured but only the primary token-signing certificate is used by the ADFS to actually sign tokens.
Is the only purpose of the secondary certificate is to allow auto cert rollover to avoid manual intervention after the current certificate expires at the ADFS end?
Correct, during the rollover period the secondary certificate is available to give the RP etc. time to update.
The secondary is then promoted to primary and the original primary is deleted.