Why does tls certificate verification fail when pinning an invalid intermediate certificate but valid leaf (server) certificate?

Question

Here is the scenario and things that i have tested :

I am doing certificate pinning in mobile application ( flutter app) to pin the certificates of our backend domain.

Certificate verification passes and the connection is established successfully when :

1. I pin both valid leaf certificate and intermediate certificate.
2. I pin only valid leaf certificate
3. I pin only valid intermediate certificate
4. I pin invalid leaf certificate but valid intermediate certificate

Verification and hence the connection FAILS when :

1. I pin only invalid leaf cert.
2. I pin only invalid intermediate cert.
3. I pin invalid leaf cert and invalid intermediate cert.

From the above behavior, here are the conclusions that I made :

• whenever the server sends its leaf cert, first it is checked if it is present in the pinned certificate set. If this exact leaf cert is not pinned, then this leaf cert is not verified and hence it goes to look at who signed this cert which gives it the intermediate certificate.
• It again checks if this intermediate cert is in the pinned cert set. If we had pinned the same intermediate cert, then it is considered as verified and since the server cert was issued by a verified intermediate cert, the connection will be successful.
• So pinning both intermediate cert and leaf cert of the same domain (any parent cert and descendant cert) is pointless since the top most cert in the chain will be considered even if all the descendant certs fail the verification.

How ever i did one more test where connection FAILS when :

• I pin valid leaf cert but INVALID(different) intermediate cert.

• So my earlier conclusion that first the leaf certificate is checked seems to be wrong or i am missing something here.

It seems like :

• The certificates in the chain are checked in the pinned cert set from the top most cert in the chain to the bottom most ( from root till the leaf cert )

Note : The way i am pinning the invalid intermediate cert is by changing one or 2 characters from the certificate (in PEM format).

Are my conclusions correct ? What am i missing here ? are the certificates checked from leaf and only if it fails verification, does it move to look at other certs up the chain ? Or is it something else entirely ?