If you are dead set on a specifically certificate-backed access control scheme, a VPN with the ability to use the hardware-backed certificate store (such as OpenVPN) is likely easier to set up as it is better supported on mobile devices and doesn’t require application-level support (i.e. everything is protected, not just the apps w/ mTLS support)
https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-android-keychain/
What part were you getting hung up on?