OK, manage to solve this problem by doing the following.
- Run as Web User needs to be enabled on the Agent Properties - Security Setting.
- You need to add BOTH your signer id AND the server id that will host the application as Password Reset Authority AND ALSO enable the “Password reset agent authority” option underneath it.
If you don't enable the option then you get the above error : Agent containing ResetUserPassword method must be signed by a designated Password Resetter
If you don't include your server id on that list you will get a Trust Certificate lookup error : Missing or invalid Password Reset Trust certificate
Hope this help whoever run into problem in setting up agent based password reset authority