It might be necessary to enable client certificate negotiation for HTTP.sys

Review the current configuration by running the following command in an elevated command prompt:  NETSH HTTP SHOW SSLCERT

Now find the corresponding Default Web Site HTTPS binding (default port 443) or CEM binding (default port 4726) depending on connection type:

 IP:port                      : 0.0.0.0:4726
    Certificate Hash             : ****a06b551614acdf69e3a9987ee83a206970d4
    Application ID               : {****-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name       : My
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
    Reject Connections           : Disabled
    Disable HTTP2                : Not Set
    Disable QUIC                 : Not Set
    Disable TLS1.2               : Not Set
    Disable TLS1.3               : Not Set
    Disable OCSP Stapling        : Not Set
    Enable Token Binding         : Not Set
    Log Extended Events          : Not Set
    Disable Legacy TLS Versions  : Not Set

Enable it with:

netsh http update sslcert ipport=0.0.0.0:4726 certhash=***a06b551614acdf69e3a9987ee83a206970d4 appid={******-e14b-4a21-b022-59fc669b0914} sslctlstorename=ClientAuthIssuer clientcertnegotiation=enable

Replace certhash and appid with values obtained previously. Mind the port number.

ref NETSH syntax - https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-http