When creating a client ID for Android in the Google Cloud Platform developer console, I get the following popup:

Duplicate fingerprint

The fingerprint you specified is already used by an Android OAuth2 client ID in this project or another project

As the popup states, I do have another project that has the same SHA-1 fingerprint. What I don't understand is why I can't use the same SHA-1 fingerprint (signing certificate) with multiple projects?

This has serious implications if you use the same debug or release signing certificates for multiple Android apps. This isn't a huge deal for debug certificates, since you can always create a new one, however if you've already used the same release certificate to sign multiple production Android apps, can you not create separate Google Cloud projects for each app?

Is this a bug, or can you really not use the same Android signing certificate for multiple Google Cloud projects?

Is it a best practice to always use a new release signing certificate for every Android app?

First why we need to have an unique cert and package name.. A while back we decide that you shouldn't need to specify clientID in the android app (for dev simplicity and mitigate certain issues e.g. someone can not claim/use your client id if they don't have the cert even if they can have the same package name). We can do a lookup the clientID based on the package name and cert hash. This requires the combination to be unique. Does that make sense? To be clear you can use the same cert along with a different package name of the app and many do.

Is it a best practice to always use a new release signing certificate for every Android app?

I think there are pros and cons. If you ever want to sell/change ownership an app (out of many you have), it would be easier with separate cert. Also you need to think about the compromise or loss of cert. Same cert does make release process easier and to claim that they are from the same entity.

just create a new project with a different package name